KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Unusual Service Creation In A Domain Controller

Query

let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
SecurityEvent
| where TimeGenerated > ago(query_period)
| where EventID == 4697 and Computer has_any (_DomainControllers)
| summarize arg_min(TimeGenerated, *) by Computer, Account, ServiceAccount, ServiceFileName, ServiceStartType, ServiceType
| where TimeGenerated > ago(query_frequency)
| project
    TimeGenerated,
    Computer,
    AccountType,
    Account,
    Activity,
    ServiceAccount,
    ServiceName,
    ServiceFileName,
    ServiceType,
    ServiceStartType,
    SubjectLogonId,
    EventData

Explanation

This KQL query is designed to monitor specific security events related to the installation of services on domain controllers within a corporate network. Here's a simplified breakdown of what the query does:

  1. Define Timeframes:

    • query_frequency is set to 1 hour, meaning the query looks for events that occurred within the last hour.
    • query_period is set to 14 days, meaning the query considers data from the last 14 days.

  2. Identify Domain Controllers:

    • The query retrieves a list of domain controllers from a watchlist named "Service-PrivateCorporateServices" where the service type is "DomainController".

  3. Filter Security Events:

    • It searches the SecurityEvent table for events that occurred within the last 14 days (query_period).
    • It specifically looks for events with EventID 4697, which indicates the installation of a service.
    • It further filters these events to include only those that occurred on the identified domain controllers.

  4. Summarize and Filter Recent Events:

    • The query summarizes the data to find the earliest occurrence (arg_min) of each unique combination of computer, account, service account, service file name, service start type, and service type.
    • It then filters these summarized events to include only those that occurred within the last hour (query_frequency).

  5. Select Relevant Data:

    • Finally, it projects (selects) specific fields to display: TimeGenerated, Computer, AccountType, Account, Activity, ServiceAccount, ServiceName, ServiceFileName, ServiceType, ServiceStartType, SubjectLogonId, and EventData.

In summary, this query is used to detect and report on new service installations on domain controllers within the last hour, based on data from the past 14 days.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 30, 2025

Tables

SecurityEvent

Keywords

SecurityEventDomainControllersComputerAccountServiceAccountServiceFileNameServiceStartTypeServiceTypeActivityServiceNameSubjectLogonIdEventData

Operators

lettoscalar_GetWatchlistwheresummarizemake_listhas_anyarg_minproject

Actions