KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Ps Exec Execution Detected

Query

SecurityAlert
| where AlertName has "PsExec execution detected" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Machine Name"]),
    Account = tostring(ExtendedProperties["Account"]),
    AccountSID = tostring(ExtendedProperties["User SID"]),
    AccountLogonId = tostring(ExtendedProperties["Account Logon Id"]),
    ProcessName = tostring(ExtendedProperties["Process Name"]),
    CommandLine = tostring(ExtendedProperties["Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    AccountLogonIds = make_set(AccountLogonId, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account, AccountSID, ProcessName
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    AccountSID,
    ProcessName,
    CommandLines,
    AccountLogonIds,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts that have the name "PsExec execution detected" and are not from the provider "ASI Scheduled Alerts". It then extracts specific properties from the ExtendedProperties field and renames them. The query also cleans up the Entities field by removing certain patterns. Finally, it summarizes the data by grouping it based on various properties and selects specific fields to display in the result.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,Computer,Account,AccountSID,AccountLogonId,ProcessName,CommandLine,Entities,TimeGenerated,StartTime,EndTime,AlertLink,AlertSeverity,Description,ResourceId,RemediationSteps,Tactics,Techniques

Operators

wherehasand!=extendtostringtodynamicreplace_regexsummarizeminmaxmake_settake_anybyproject

Actions