KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Directory Events Unusual Power Shell Execution

Query

let query_frequency = 1h;
let query_period = 14d;
IdentityDirectoryEvents
| where TimeGenerated > ago(query_period)
| where ActionType == "PowerShell execution"
| extend
    IsSuccess = tostring(AdditionalFields["IsSuccess"]),
    Count = toint(AdditionalFields["Count"])
| summarize
    Count = sum(Count),
    arg_min(TimeGenerated, *)
    by Protocol, AccountSid, DeviceName, IPAddress, DestinationDeviceName, IsSuccess
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Timestamp,
    Application,
    ActionType,
    Protocol,
    DeviceName,
    IPAddress,
    AccountDisplayName,
    AccountName,
    AccountUpn,
    AccountSid,
    AccountDomain,
    DestinationDeviceName,
    IsSuccess,
    Count,
    AdditionalFields,
    ReportId

Explanation

This KQL (Kusto Query Language) query is designed to analyze identity directory events related to PowerShell executions over a specified period. Here's a simplified breakdown of what the query does:

  1. Set Parameters:

    • query_frequency is set to 1 hour.
    • query_period is set to 14 days.

  2. Filter Events:

    • It retrieves events from the IdentityDirectoryEvents table where the TimeGenerated is within the last 14 days.
    • It specifically looks for events where the ActionType is "PowerShell execution".

  3. Extract and Convert Fields:

    • It extracts the IsSuccess field from AdditionalFields and converts it to a string.
    • It extracts the Count field from AdditionalFields and converts it to an integer.

  4. Summarize Data:

    • It groups the data by Protocol, AccountSid, DeviceName, IPAddress, DestinationDeviceName, and IsSuccess.
    • For each group, it calculates the total Count of events and finds the earliest TimeGenerated timestamp.

  5. Filter Recent Events:

    • It further filters the summarized data to include only those records where the TimeGenerated is within the last hour.

  6. Select and Display Fields:

    • Finally, it selects and displays a specific set of fields from the filtered data, including timestamps, account information, device details, and additional fields.

In essence, this query helps identify and summarize recent PowerShell execution events, focusing on their success status and related details, within a specified timeframe.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 30, 2025

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsDeviceAccountIPAddressApplication

Operators

letagowhere==extendtostringtointsummarizesumarg_minbyproject

Actions