Security Alert Ps Exec Execution Detected
Query
SecurityAlert
| where AlertName has "PsExec execution detected" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
Computer = tostring(ExtendedProperties["Machine Name"]),
Account = tostring(ExtendedProperties["Account"]),
AccountSID = tostring(ExtendedProperties["User SID"]),
AccountLogonId = tostring(ExtendedProperties["Account Logon Id"]),
ProcessName = tostring(ExtendedProperties["Process Name"]),
CommandLine = tostring(ExtendedProperties["Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
AccountLogonIds = make_set(AccountLogonId, 250),
CommandLines = make_set(CommandLine, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account, AccountSID, ProcessName
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
StartTime,
EndTime,
Computer,
Account,
AccountSID,
ProcessName,
CommandLines,
AccountLogonIds,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This query is designed to analyze security alerts related to "PsExec execution detected" from Azure Security Center. Here's a simplified breakdown of what it does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name "PsExec execution detected" and ensures they are from the "Azure Security Center" provider. -
Summarize Alerts: It groups these alerts by
SystemAlertIdand selects the earliest occurrence of each alert. -
Extract Properties: It extracts various properties from the
ExtendedPropertiesfield, such as the computer name, account details, process name, and command line used. -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions. -
Aggregate Data: It summarizes the data by:
- Finding the earliest and latest times for each alert.
- Collecting unique sets of account logon IDs, command lines, and alert links.
- Gathering related entities.
- Selecting any available remediation steps, tactics, and techniques.
-
Project Results: Finally, it selects and organizes specific fields to display, including the alert name, severity, description, remediation steps, resource ID, time details, computer and account information, process name, command lines, account logon IDs, alert links, tactics, techniques, and entities.
In essence, this query is used to identify and summarize detailed information about specific security alerts related to PsExec executions, providing insights into the affected systems, accounts, and processes involved.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators