Forum Discussion
svchost appearing in sentinel securityalert
Hi All,
Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group." I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?
Anythoughts?
- CliveWatson
Microsoft
Hello jlouden is this your own alert, or one of the built-in ones - if so which one?
Hi CliveWatson
This is an inbuilt out of the box alert. The query string is
SecurityAlert| mvexpand Entity = parse_json(Entities)| where Entity.Type =~ 'account'| project TimeGenerated, AlertName = DisplayName, Entity.Name, AlertSeverity| summarize RelatedAccounts = makeset(Entity_Name) by tostring(TimeGenerated), AlertName, AlertSeverity| sort by TimeGenerated desc
