Home

svchost appearing in sentinel securityalert

%3CLINGO-SUB%20id%3D%22lingo-sub-871441%22%20slang%3D%22en-US%22%3Esvchost%20appearing%20in%20sentinel%20securityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871441%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wondering%20if%20anyone%20has%20seen%20this.%20We%20are%20now%20including%20Windows%20Security%20event%20information%20in%20sentinel%20via%20the%20security%20events%20connector.%20I%20was%20surprised%20to%20see%20that%20the%20clipboard%20history%20service%20came%20up%20as%20an%20alert%20under%20%22%3CSPAN%3ESVCHOST%20was%20observed%20running%20a%20rare%20service%20group.%22%26nbsp%3B%20I%20did%20check%20the%20file%20and%20the%20process%20and%20they%20are%20all%20legit%20(from%20my%20POV).%20Why%20would%20a%20via%20well%20known%2C%20well%20used%20MS%20dll%20trip%20this%20alert%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAnythoughts%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-876630%22%20slang%3D%22en-US%22%3ERe%3A%20svchost%20appearing%20in%20sentinel%20securityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-876630%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355592%22%20target%3D%22_blank%22%3E%40jlouden%3C%2FA%3E%26nbsp%3Bis%20this%20your%20own%20alert%2C%20or%20one%20of%20the%20built-in%20ones%20-%20if%20so%20which%20one%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887677%22%20slang%3D%22en-US%22%3ERe%3A%20svchost%20appearing%20in%20sentinel%20securityalert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887677%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20inbuilt%20out%20of%20the%20box%20alert.%20The%20query%20string%20is%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ESecurityAlert%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Emvexpand%3C%2FSPAN%3E%3CSPAN%3E%20Entity%20%3D%20parse_json%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EEntities%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Entity%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3EType%20%3D~%20%3C%2FSPAN%3E%3CSPAN%3E'account'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20AlertName%20%3D%20DisplayName%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20Entity%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CSPAN%3EName%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20AlertSeverity%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20RelatedAccounts%20%3D%20makeset%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EEntity_Name%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20tostring%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%3E)%2C%3C%2FSPAN%3E%3CSPAN%3E%20AlertName%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20AlertSeverity%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esort%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20desc%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
jlouden
Occasional Contributor

Hi All,

 

Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group."  I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?

 

Anythoughts?

2 Replies

Hello @jlouden is this your own alert, or one of the built-in ones - if so which one?

Hi @Clive Watson 

 

This is an inbuilt out of the box alert. The query string is

 

SecurityAlert
| mvexpand Entity = parse_json(Entities)
| where Entity.Type =~ 'account'
| project TimeGenerated, AlertName = DisplayName, Entity.Name, AlertSeverity
| summarize RelatedAccounts = makeset(Entity_Name) by tostring(TimeGenerated), AlertName, AlertSeverity
| sort by TimeGenerated desc
 
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies