Query Details
List All Process That Running Under NT Authority
Query
Use Case: Identifying processes initiated by system accounts for security auditing or anomaly detection. Query: Process | where WindowsUserAccount startswith 'NT AUTHORITY' | project ProcessId, ProcessName, Path, CommandLine, WindowsUserAccount, StartDateTime
Explanation
This query is used to identify processes that are started by system accounts for security auditing or anomaly detection. It filters the processes based on the Windows user account that starts with 'NT AUTHORITY' and selects specific columns like process ID, process name, path, command line, user account, and start date and time.
Details
Ugur Koc
Released: February 4, 2024
Tables
Process
Keywords
Process,WindowsUserAccount,StartDateTime
Operators
wherestartswithproject