cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

svchost appearing in sentinel securityalert

jlouden
Brass Contributor

‎Sep 23 2019 10:21 PM

‎Sep 23 2019 10:21 PM

svchost appearing in sentinel securityalert

Hi All,

 

Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group."  I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?

 

Anythoughts?

1,044 Views
0 Likes
2 Replies
Reply
2 Replies
CliveWatson

‎Sep 26 2019 02:44 AM

‎Sep 26 2019 02:44 AM

Re: svchost appearing in sentinel securityalert

Hello @jlouden is this your own alert, or one of the built-in ones - if so which one?

0 Likes
Reply
jlouden

‎Oct 01 2019 05:12 PM

‎Oct 01 2019 05:12 PM

Re: svchost appearing in sentinel securityalert

Hi @CliveWatson 

 

This is an inbuilt out of the box alert. The query string is

 

SecurityAlert
| mvexpand Entity = parse_json(Entities)
| where Entity.Type =~ 'account'
| project TimeGenerated, AlertName = DisplayName, Entity.Name, AlertSeverity
| summarize RelatedAccounts = makeset(Entity_Name) by tostring(TimeGenerated), AlertName, AlertSeverity
| sort by TimeGenerated desc
 
0 Likes
Reply