KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Sense Triggers Power Shell Public IP

Query

# MDE - Sense triggers PowerShell with public IP network connection

## Query Information

### Description

This query identifies Device Network connections to public IP addresses from PowerSehll, iniatiated by the MDE Sense Service.

#### References

### Microsoft Sentinel

```kql
DeviceNetworkEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessParentFileName == "SenseIR.exe"
| where RemoteIPType == 'Public'
| extend ScriptPath = extract(@"([a-zA-Z]:\\[^\']+\.ps1)", 1, InitiatingProcessCommandLine)
| extend IPInfo = geo_info_from_ip_address(RemoteIP)
| project TimeGenerated, DeviceId, DeviceName, ScriptPath,InitiatingProcessCommandLine, RemoteIP, IPInfo.country
```

Explanation

This query is designed to identify network connections made from a device to public IP addresses using PowerShell, specifically when initiated by the MDE (Microsoft Defender for Endpoint) Sense Service. Here's a breakdown of what the query does:

  1. Data Source: It looks at DeviceNetworkEvents, which contains records of network activities on devices.

  2. Filter Criteria:

    • It filters events where the process initiating the network connection is powershell.exe.
    • It further narrows down to instances where the parent process of PowerShell is SenseIR.exe, indicating that the connection was initiated by the MDE Sense Service.
    • It only considers connections to public IP addresses.

  3. Data Extraction:

    • It extracts the path of the PowerShell script being executed, if available, from the command line of the initiating process.
    • It retrieves geographical information about the remote IP address to determine the country associated with the IP.

  4. Output:

    • The query outputs the time of the event, device ID, device name, script path, full command line of the initiating process, remote IP address, and the country of the remote IP.

In simple terms, this query helps security analysts identify when PowerShell scripts, triggered by the MDE Sense Service, connect to public IP addresses, providing details about the script and the geographical location of the IP.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkConnectionsPowerShellMDESenseServiceIPAddresses

Operators

|======extendextractextendgeo_info_from_ip_addressproject

Actions