KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Rare SVCHOST Service Group Executed

Query

SecurityAlert
| where AlertName has "Rare SVCHOST service group executed" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Account = tostring(ExtendedProperties["user name"]),
    AccountSID = tostring(ExtendedProperties["User SID"]),
    AccountLogonId = tostring(ExtendedProperties["account logon id"]),
    ProcessName = tostring(ExtendedProperties["process name"]),
    CommandLine = tostring(ExtendedProperties["command line"]),
    ProcessId = tostring(ExtendedProperties["process id"]),
    ParentProcess = tostring(ExtendedProperties["parent process"]),
    ParentProcessId = tostring(ExtendedProperties["parent process id"]),
    ResourceType = tostring(ExtendedProperties["resourceType"]),
    Computer = CompromisedEntity
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    AccountLogonIds = make_set(AccountLogonId, 250),
    ProcessNames = make_set(ProcessName, 250),
    CommandLines = make_set(CommandLine, 250),
    ProcessIds = make_set(ProcessId, 250),
    ParentProcesses = make_set(ParentProcess, 250),
    ParentProcessIds = make_set(ParentProcessId, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account, AccountSID, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    Computer,
    Account,
    AccountSID,
    AccountLogonIds,
    ProcessNames,
    CommandLines,
    ProcessIds,
    ParentProcesses,
    ParentProcessIds,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts where the alert name contains "Rare SVCHOST service group executed" and the provider name is not "ASI Scheduled Alerts". It then extracts specific properties from the extended properties field and renames them for easier analysis. It also cleans up the entities field by removing unnecessary information. The query then summarizes the data by grouping it based on various properties and selects the relevant fields for further analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,Account,AccountSID,AccountLogonId,ProcessName,CommandLine,ProcessId,ParentProcess,ParentProcessId,ResourceType,CompromisedEntity,Entities,TimeGenerated,StartTime,EndTime,AlertSeverity,Description,ResourceId,RemediationSteps,Computer,AlertLink,Tactics,Techniques

Operators

wherehas!=extendtostringreplace_regexsummarizeminmaxmake_settolowerproject

Actions