Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

The query does not return the following columns that are required to create a detection rule

Copper Contributor

Trying to create a custom detection detection and I'm getting the below error. I'm new to Defender ATP so looking for some guidance.

 

The query does not return the following columns that are required to create a detection rule

 

// Find PsExec creating multiple files on remote machines in a 10-minute window
DeviceFileEvents
| where Timestamp > ago(7d)
// Looking for PsExec by accepteula command flag
| where InitiatingProcessCommandLine has "accepteula"
// Remote machines and file is exe
| where FolderPath has "\\\\" and FileName endswith ".exe"
| extend Exe = countof(InitiatingProcessCommandLine, ".exe")
// Checking to see if command line has 2 .exe or .bat
| where InitiatingProcessCommandLine !has ".ps1" and Exe > 1 or 
InitiatingProcessCommandLine has ".bat"
// Exclusions: Remove the following line to widen scope of AHQ
| where not(InitiatingProcessCommandLine has_any("batch", "auditpol", 
"script", "scripts", "illusive", "rebootrequired"))
| summarize FileCount = dcount(FolderPath), make_set(SHA1), make_set(FolderPath), 
make_set(FileName), make_set(InitiatingProcessCommandLine) by DeviceId, 
TimeWindow=bin(Timestamp, 10m), InitiatingProcessFileName
| where FileCount > 4
0 Replies