List All Process That Running Under NT Authority
Query
// Use Case: Identifying processes initiated by system accounts for security auditing or anomaly detection.
Process
| where WindowsUserAccount startswith 'NT AUTHORITY'
| project ProcessId, ProcessName, Path, CommandLine, WindowsUserAccount, StartDateTimeExplanation
This query is designed to help with security auditing or detecting unusual activities by focusing on processes that are started by system accounts. Here's a simple breakdown of what it does:
-
Data Source: It looks at a dataset called "Process," which contains information about various processes running on a system.
-
Filter: It specifically filters out processes that are initiated by system accounts. These accounts are identified by their usernames starting with "NT AUTHORITY."
-
Select Information: For each of these processes, it selects and displays the following details:
ProcessId: The unique identifier for the process.ProcessName: The name of the process.Path: The file path where the process is located.CommandLine: The command line used to start the process.WindowsUserAccount: The account name that started the process.StartDateTime: The date and time when the process was started.
In summary, this query helps identify and examine processes that are started by system-level accounts, which can be useful for monitoring and detecting potential security issues.
Details

Ugur Koc
Released: December 13, 2024
Tables
Keywords
Operators