Security Event Unusual Service Creation In A Domain Controller
Query
let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
_GetWatchlist("Service-PrivateCorporateServices")
| where Service == "DomainController"
| summarize make_list(HostName)
);
let _ExpectedInstalledServiceRegex = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "InstalledService_Regex"
| summarize RegEx = make_set(strcat(ActorPrincipalName, SourceResource, Auxiliar))
| extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4697 and Computer has_any (_DomainControllers)
| summarize arg_min(TimeGenerated, *) by Computer, Account, ServiceAccount, ServiceFileName, ServiceStartType, ServiceType
| where TimeGenerated > ago(query_frequency)
| where not(strcat(ServiceAccount, ServiceFileName, ServiceName) matches regex _ExpectedInstalledServiceRegex)
| project
TimeGenerated,
Computer,
AccountType,
Account,
Activity,
ServiceAccount,
ServiceName,
ServiceFileName,
ServiceType,
ServiceStartType,
SubjectLogonId,
EventDataExplanation
This KQL query is designed to monitor and identify unexpected service installations on domain controllers within a corporate network. Here's a simplified breakdown of what the query does:
-
Define Timeframes:
query_frequencyis set to 1 hour, meaning the query checks for new data every hour.query_periodis set to 14 days, meaning the query looks at data from the past 14 days.
-
Identify Domain Controllers:
- The query retrieves a list of domain controllers from a watchlist named "Service-PrivateCorporateServices" where the service is marked as "DomainController".
-
Expected Services Regex:
- It constructs a regular expression from another watchlist called "Activity-ExpectedSignificantActivity" to define what installed services are expected. This regex is used to filter out known and expected service installations.
-
Filter Security Events:
- The query looks at security events (specifically Event ID 4697, which indicates a service was installed) that occurred within the last 14 days on the identified domain controllers.
-
Identify New or Unexpected Services:
- It summarizes the earliest occurrence of each service installation event by various attributes like computer, account, service account, etc.
- It then filters these events to only include those that happened in the last hour and do not match the expected services regex.
-
Output Relevant Information:
- Finally, it projects (selects) relevant fields such as the time of the event, computer name, account details, and service information for further analysis or alerting.
In essence, this query helps security teams detect potentially unauthorized or unexpected service installations on domain controllers, which could indicate a security threat or policy violation.
Details

Jose Sebastián Canós
Released: September 18, 2025
Tables
SecurityEvent
Keywords
SecurityEventDomainControllersServiceAccountActivityComputer
Operators
lettoscalarsummarizemake_listwheremake_setstrcatextendagohas_anyarg_minmatchesregexproject