KQL Search

Query Details

Device Events Scheduled Tasks

Query

#Base #KQL Starting point
DeviceEvents 
| where Timestamp > ago(30d) //in the last period of time
| where ActionType == "ScheduledTaskCreated" // task created
| where InitiatingProcessAccountSid != "S-1-5-18" // does not equal SYSTEM
| extend AdditionalFields = parse_json(AdditionalFields)
| extend TaskName = tostring(AdditionalFields.["TaskName"])
| sort by Timestamp desc //sort newest to oldest

#### BASELINE EXAMPLE

DeviceEvents
| where Timestamp > ago(30d) //in the last period of time
| where ActionType == "ScheduledTaskCreated" // task created
| where InitiatingProcessAccountSid != "S-1-5-18" // does not equal SYSTEM
| extend AdditionalFields = parse_json(AdditionalFields)
| extend TaskName = tostring(AdditionalFields.["TaskName"])
| sort by Timestamp desc //sort newest to oldest
| summarize count() by TaskName
| sort by count_ desc

Explanation

This query is searching for DeviceEvents in the last 30 days where a Scheduled Task was created. It excludes tasks created by the SYSTEM account. It then parses the AdditionalFields column as JSON and extracts the TaskName. The results are sorted by the timestamp in descending order. The query then summarizes the count of each TaskName and sorts the results by the count in descending order.

Details

Daniel Card

Released: September 4, 2023

Tables

DeviceEvents

Keywords

DeviceEvents,Timestamp,ActionType,InitiatingProcessAccountSid,AdditionalFields,TaskName

Operators

whereago==!=extendparse_jsontostringsort bysummarizecount()

KQL Search

Device Events Scheduled Tasks

Query

Explanation

Details

Actions