MDE - Sense triggers PowerShell with public IP network connection
MDE Sense Triggers Power Shell Public IP
Query
DeviceNetworkEvents
| where InitiatingProcessFileName == "powershell.exe"
| where InitiatingProcessParentFileName == "SenseIR.exe"
| where RemoteIPType == 'Public'
| extend ScriptPath = extract(@"([a-zA-Z]:\\[^\']+\.ps1)", 1, InitiatingProcessCommandLine)
| extend IPInfo = geo_info_from_ip_address(RemoteIP)
| project TimeGenerated, DeviceId, DeviceName, ScriptPath,InitiatingProcessCommandLine, RemoteIP, IPInfo.countryAbout this query
MDE - Sense triggers PowerShell with public IP network connection
Query Information
Description
This query identifies Device Network connections to public IP addresses from PowerSehll, iniatiated by the MDE Sense Service.
References
Microsoft Sentinel
Explanation
This query is designed to identify network connections made from a device to public IP addresses using PowerShell, specifically when initiated by the MDE (Microsoft Defender for Endpoint) Sense Service. Here's a breakdown of what the query does:
-
Data Source: It looks at
DeviceNetworkEvents, which contains records of network activities on devices. -
Filter Criteria:
- It filters events where the process initiating the network connection is
powershell.exe. - It further narrows down to instances where the parent process of PowerShell is
SenseIR.exe, indicating that the connection was initiated by the MDE Sense Service. - It only considers connections to public IP addresses.
- It filters events where the process initiating the network connection is
-
Data Extraction:
- It extracts the path of the PowerShell script being executed, if available, from the command line of the initiating process.
- It retrieves geographical information about the remote IP address to determine the country associated with the IP.
-
Output:
- The query outputs the time of the event, device ID, device name, script path, full command line of the initiating process, remote IP address, and the country of the remote IP.
In simple terms, this query helps security analysts identify when PowerShell scripts, triggered by the MDE Sense Service, connect to public IP addresses, providing details about the script and the geographical location of the IP.
Details

Alex Verboon
Released: August 29, 2025
Tables
Keywords
Operators