Forum Discussion
svchost appearing in sentinel securityalert
Hi All, Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard hi...
Hello jlouden is this your own alert, or one of the built-in ones - if so which one?
Hi CliveWatson
This is an inbuilt out of the box alert. The query string is
SecurityAlert
| mvexpand Entity = parse_json(Entities)
| where Entity.Type =~ 'account'
| project TimeGenerated, AlertName = DisplayName, Entity.Name, AlertSeverity
| summarize RelatedAccounts = makeset(Entity_Name) by tostring(TimeGenerated), AlertName, AlertSeverity
| sort by TimeGenerated desc