Show the last 100 Powershell executions from a compromised device
MDE Most Recent Powershell Executions By Compromised Device
Query
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where not(AccountSid == "S-1-5-18") // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by TimeGenerated
| top 100 by TimeGenerated
| project
TimeGenerated,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
AccountDomain,
AccountName,
InitiatingProcessCommandLineAbout this query
Show the last 100 Powershell executions from a compromised device
Defender XDR
let CompromisedDevice = "laptop.contoso.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceProcessEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where not(AccountSid == "S-1-5-18") // If you suspect that the system user is compromised, remove this filter.
| where InitiatingProcessFileName == "powershell.exe"
| sort by Timestamp
| top 100 by Timestamp
| project
Timestamp,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
AccountDomain,
AccountName,
InitiatingProcessCommandLine
Sentinel
Explanation
This query is designed to retrieve the last 100 instances of PowerShell being executed on a specific device that is suspected to be compromised. Here's a simple breakdown of what the query does:
-
Target Device: The query focuses on a device named "laptop.contoso.com", which is believed to be compromised.
-
Time Frame: It looks at events that occurred within the last 48 hours. This time window can be adjusted by changing the
SearchWindowvariable. -
Event Source: It filters events from the
DeviceProcessEventstable, which logs process activities on devices. -
Exclusion of System Account: The query excludes events initiated by the system account (AccountSid "S-1-5-18"), unless there's a suspicion that this account might also be compromised.
-
PowerShell Executions: It specifically looks for processes where the initiating process is "powershell.exe", indicating PowerShell script executions.
-
Sorting and Limiting Results: The results are sorted by the time they were generated, and only the most recent 100 entries are selected.
-
Output Details: The query projects (selects) specific details for each event, including:
- Timestamp of the event
- Device name
- Type of action performed
- Name of the file involved
- Command line used to execute the process
- Domain and name of the account that executed the process
- Command line of the initiating process
This query is useful for security analysts to quickly review recent PowerShell activities on a potentially compromised device, helping them identify suspicious or unauthorized actions.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators