KQL Search

Query Details

HomeAI ToolsDevice Query

Network Setup Proxy

Query

Tags:

Query:
DeviceProcessEvents
| where FileName == @"networksetup" and ProcessCommandLine has_any ("setwebproxy","setsecurewebproxy","setautoproxyurl")

References:
https://github.com/elastic/detection-rules/blob/e9baebc2bc18f90ae16501613cd9521a16a38ad7/rules/macos/credential_access_mitm_localhost_webproxy.toml

Explanation

This KQL (Kusto Query Language) query is designed to search through device process events to identify instances where a specific command related to network configuration is executed. Here's a simple breakdown:

  1. Data Source: The query looks at DeviceProcessEvents, which logs events related to processes running on devices.
  2. File Name Filter: It filters these events to find those where the FileName is "networksetup".
  3. Command Line Filter: It further narrows down the results to events where the ProcessCommandLine contains any of the following terms: "setwebproxy", "setsecurewebproxy", or "setautoproxyurl".

In essence, this query is looking for instances where the "networksetup" command is used to configure web proxies on a device.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 28, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

DeviceProcessEvents|where==@andhas_any

Actions