Security Alert Rare SVCHOST Service Group Executed
Query
SecurityAlert
| where AlertName has "Rare SVCHOST service group executed" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
Account = tostring(ExtendedProperties["user name"]),
AccountSID = tostring(ExtendedProperties["User SID"]),
AccountLogonId = tostring(ExtendedProperties["account logon id"]),
ProcessName = tostring(ExtendedProperties["process name"]),
CommandLine = tostring(ExtendedProperties["command line"]),
ProcessId = tostring(ExtendedProperties["process id"]),
ParentProcess = tostring(ExtendedProperties["parent process"]),
ParentProcessId = tostring(ExtendedProperties["parent process id"]),
ResourceType = tostring(ExtendedProperties["resourceType"]),
Computer = CompromisedEntity
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
AccountLogonIds = make_set(AccountLogonId, 250),
ProcessNames = make_set(ProcessName, 250),
CommandLines = make_set(CommandLine, 250),
ProcessIds = make_set(ProcessId, 250),
ParentProcesses = make_set(ParentProcess, 250),
ParentProcessIds = make_set(ParentProcessId, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account, AccountSID, ResourceType
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
ResourceType,
StartTime,
EndTime,
Computer,
Account,
AccountSID,
AccountLogonIds,
ProcessNames,
CommandLines,
ProcessIds,
ParentProcesses,
ParentProcessIds,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL query is designed to analyze security alerts related to a specific suspicious activity, namely the execution of a rare SVCHOST service group, as detected by Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering security alerts to only include those with the name "Rare SVCHOST service group executed" and that are provided by Azure Security Center.
-
Summarize Alerts: For each unique alert (identified by
SystemAlertId), it selects the earliest occurrence (arg_min) and extracts various properties from the alert's extended properties, such as user information, process details, and resource type. -
Clean Up Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions. -
Aggregate Data: It aggregates the data by alert name, severity, description, and other key fields. During this aggregation, it collects sets of related information like account logon IDs, process names, command lines, and more, ensuring that up to 250 unique values are captured for each set.
-
Select and Project Fields: Finally, it selects and organizes the relevant fields to be displayed in the output, including the time the alert was generated, alert details, remediation steps, and various identifiers and properties related to the alert.
In summary, this query is used to process and organize security alerts about unusual SVCHOST activities, providing a comprehensive view of each alert with detailed information about the involved accounts, processes, and resources.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators