Rare Custom Script Extension - Hunting Query

[vdabhi123]

For the cx the ask is to have an analytical rule for "Rare Custom Script Extension" -(Which is a Hunting Query as of now):

The Kql seems to be old hence I have updated the OperationNameValue in the KQL.

The first part is trying to extract for value FileURL and CommandToExecute in the Setting value.

but the Settings value which is loading up in the output has only have ********

in it which means the value are redacted/masked unable to get the actual values of FileURL and CommandToExecute..

I also tried projecting the output for values FileURL and CommandToExecute and it confirmed no extraction from settings:

Link:
https://github.com/Azure/Azure-Sentinel/commits/master/Solutions/Azure%20Activity/Hunting%20Queries/Rare_Custom_Script_Extension.yaml

[v-utpalkumar]

Hello @vdabhi123, an initial analysis has been conducted; however, we require the logs to proceed with further investigation. Kindly share the logs via email so we can proceed with the analysis of your requirements. Thanks!

Email: v-utpalkumar@microsoft.com

[v-utpalkumar]

Hello @vdabhi123, could you please let us know if the logs are available? Thank you!