Alerts triggered by the same process within a 24-hour window may indicate coordinated malicious activity leveraging a common process to evade detection. SOC teams should proactively hunt for this pattern in Azure Sentinel to identify potential adversary campaigns that use process-based persistence or lateral movement.
KQL Query
let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){
let v_StartTime = suspiciousEventTime-1d;
let v_EndTime = suspiciousEventTime+1d;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| where Entities has v_Process
| extend Extprop = parse_json(Entities)
| mv-expand Extprop
| extend Extprop = parse_json(Extprop)
| extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
| extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| extend Process = iff(isnotempty(CmdLine), CmdLine, File)
| summarize max(TimeGenerated), make_set(AlertName), make_set(Process), make_set(Computer), make_set(Account), make_set(IpAddress), make_set(Entities) by SystemAlertId
| project TimeGenerated = max_TimeGenerated, AlertName=set_AlertName[0], Process=set_Process[1], Account = set_Account[1], Computer=set_Computer[0], IPAddress = set_IpAddress[1], Entities=set_Entities
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
| top 10 by TimeGenerated desc nulls last
};
// change datetime value and <processname> value below
GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), "<processname>")
id: 635cba46-c077-4959-a2d9-b7eb6fecb854
name: Alerts With This Process
description: |
'Any Alerts that fired on any host with this same process in the range of +-1d'
requiredDataConnectors:
- connectorId: AzureSecurityCenter
dataTypes:
- SecurityAlert
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
tactics:
- Persistence
- Discovery
- LateralMovement
- Collection
query: |
let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){
let v_StartTime = suspiciousEventTime-1d;
let v_EndTime = suspiciousEventTime+1d;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| where Entities has v_Process
| extend Extprop = parse_json(Entities)
| mv-expand Extprop
| extend Extprop = parse_json(Extprop)
| extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
| extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
| extend Account = Extprop['Name']
| extend Domain = Extprop['UPNSuffix']
| extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
| extend Computer = iff(Extprop['Type']=="host", Extprop['HostName'], '')
| extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
| extend Process = iff(isnotempty(CmdLine), CmdLine, File)
| summarize max(TimeGenerated), make_set(AlertName), make_set(Process), make_set(Computer), make_set(Account), make_set(IpAddress), make_set(Entities) by SystemAlertId
| project TimeGenerated = max_TimeGenerated, AlertName=set_AlertName[0], Process=set_Process[1], Account = set_Account[1], Computer=set_Computer[0], IPAddress = set_IpAddress[1], Entities=set_Entities
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
| top 10 by TimeGenerated desc nulls last
};
// change datetime value and <processname> value below
GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), "<processname>")
| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task (e.g., schtasks.exe or task scheduler) runs a script that generates alerts due to its execution.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe, taskhost.exe) or filter by process names known to be part of the task scheduler.
Scenario: Log Management Tool Processing Logs
Description: A log management tool (e.g., splunkd.exe, logstash.exe) processes logs and triggers alerts due to high volume or specific log patterns.
Filter/Exclusion: Exclude processes related to log management tools or filter by process names associated with log processing.
Scenario: Database Backup Job
Description: A database backup job (e.g., sqlbackup.exe, mysqldump.exe) runs periodically and generates alerts due to its execution or resource usage.
Filter/Exclusion: Exclude processes related to backup utilities or filter by process names associated with database backups.
Scenario: Security Software Scan
Description: A security tool (e.g., mcafee.exe, avgscan.exe, clamscan.exe) performs a full system scan and triggers alerts due to its high activity.
Filter/Exclusion: Exclude processes associated with security software or filter by known security tool process names.
Scenario: System Update or Patch Deployment
Description: A system update or patch deployment (e.g., wusa.exe, msiexec.exe) runs and generates alerts due to its execution or system changes.
Filter/Exclusion: Exclude processes related to system updates or filter by process names associated with patch management tools.