Device Visualize Remote Power Shell UR Ls

//Visualize the top 20 remote URLs that your users are connecting to via PowerShell //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceNetworkEvents | where TimeGenerated > ago (7d) //Exclude system and local service processes as this visualization is user focused | where InitiatingProcessAccountName !in~ ("system", "local service") | where InitiatingProcessCommandLine has "powershell" | where LocalIPType == "Private" | where RemoteIPType == "Public" | summarize Count=count()by RemoteUrl | where isnotempty(RemoteUrl) | top 20 by Count | render barchart with (title="Remote URLs accessed by Powershell") //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceNetworkEvents | where Timestamp > ago (7d) //Exclude system and local service processes as this visualization is user focused | where InitiatingProcessAccountName !in~ ("system", "local service") | where InitiatingProcessCommandLine has "powershell" | where LocalIPType == "Private" | where RemoteIPType == "Public" | summarize Count=count()by RemoteUrl | where isnotempty(RemoteUrl) | top 20 by Count //Advanced Hunting does not support barcharts so you can visualize as a piechart or simply remove this line for a table | render piechart with (title="Remote URLs accessed by Powershell")

Explanation

The query is looking at the top 20 remote URLs that users are connecting to via PowerShell. It filters out system and local service processes, focuses on PowerShell commands, and only includes connections with private local IPs and public remote IPs. It then summarizes the count of connections for each remote URL and visualizes the results as a bar chart or pie chart. The query is run on the M365 Defender - Device* tables for Microsoft Sentinel or with an Advanced Hunting license.

KQL Search

Device Visualize Remote Power Shell UR Ls

Query

Explanation

Details

Actions