svchost appearing in sentinel securityalert

Occasional Contributor

Hi All,

 

Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group."  I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?

 

Anythoughts?

2 Replies

Hello @jlouden is this your own alert, or one of the built-in ones - if so which one?

Hi @CliveWatson 

 

This is an inbuilt out of the box alert. The query string is

 

SecurityAlert
| mvexpand Entity = parse_json(Entities)
| where Entity.Type =~ 'account'
| project TimeGenerated, AlertName = DisplayName, Entity.Name, AlertSeverity
| summarize RelatedAccounts = makeset(Entity_Name) by tostring(TimeGenerated), AlertName, AlertSeverity
| sort by TimeGenerated desc