KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Directory Events Unexpected Service Creation

Query

let query_frequency = 1h;
let query_period = 14d;
let _ExpectedServiceCommandsRegex = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "ServiceCreation"
    | summarize RegEx = strcat(@"^(", strcat_array(make_list(Auxiliar), "|"), @")$")
);
IdentityDirectoryEvents
| where TimeGenerated > ago(query_period)
| where ActionType == "Service creation"
| extend
    ServiceName = tostring(AdditionalFields["ServiceName"]),
    ServiceCommand = tostring(AdditionalFields["ServiceCommand"]),
    Count = toint(AdditionalFields["Count"])
| where not(ServiceCommand matches regex _ExpectedServiceCommandsRegex)
| summarize arg_min(TimeGenerated, *) by Protocol, ServiceName, ServiceCommand, AccountName, AccountSid
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Application,
    ActionType,
    Protocol,
    AccountDisplayName,
    AccountUpn,
    AccountSid,
    ServiceName,
    ServiceCommand,
    TargetDeviceName,
    Count,
    AdditionalFields,
    ReportId

Explanation

This KQL query is designed to monitor and identify unusual service creation activities within a specified time frame. Here's a simplified breakdown of what the query does:

  1. Define Time Frames:

    • query_frequency is set to 1 hour, meaning the query will focus on the most recent hour of data.
    • query_period is set to 14 days, which is the overall period the query will examine for historical data.

  2. Expected Commands:

    • It retrieves a list of expected service creation commands from a watchlist named "Activity-ExpectedSignificantActivity" and constructs a regular expression pattern to match these expected commands.

  3. Filter Events:

    • It looks at IdentityDirectoryEvents that occurred within the last 14 days.
    • Filters these events to only include those where the ActionType is "Service creation".

  4. Extract and Filter Data:

    • Extracts details like ServiceName, ServiceCommand, and Count from the event's additional fields.
    • Filters out events where the ServiceCommand does not match the expected commands pattern.

  5. Summarize and Identify:

    • Summarizes the data to find the earliest occurrence of each unique combination of protocol, service name, service command, account name, and account SID.
    • Further filters these summarized results to only include those events that occurred within the last hour.

  6. Project Results:

    • Selects specific fields to be displayed in the final output, such as the time of the event, application, action type, protocol, account details, service details, target device name, count, additional fields, and report ID.

In essence, this query helps identify potentially suspicious or unexpected service creation activities by comparing them against a predefined list of expected commands and focusing on recent occurrences.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 16, 2025

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEvents

Operators

lettoscalarwheresummarizestrcatstrcat_arraymake_listextendtostringtointmatches regexarg_minproject

Actions