Query Details
Power Shell Execution
Query
SecurityEvent | where ProcessName has "powershell.exe" or ProcessName has "powershell_ise.exe" | project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, Process, CommandLine, ParentProcessName
Explanation
This query is searching for security events related to PowerShell. It filters for events where the process name is either "powershell.exe" or "powershell_ise.exe". The query then selects specific fields such as the time the event was generated, the computer name, the username and domain of the subject, the process details, the command line used, and the name of the parent process.
Details
Rod Trent
Released: November 11, 2020
Tables
SecurityEvent
Keywords
SecurityEvent,ProcessName,powershell.exe,powershell_ise.exe,TimeGenerated,Computer,SubjectUserName,SubjectDomainName,Process,CommandLine,ParentProcessName
Operators
wherehasorproject