An unexpected error occurred during query execution. Please try again in a few minutes. while running Advanced Hunting Query on MS ATP

Pratik Pashte 1 Reputation point
2020-10-01T10:56:50.547+00:00

While running below query over Advance Hunting I got "An unexpected error occurred during query execution. Please try again in a few minutes."

I am not sure about the error but would like to understand why the error and how to resolve the same.

Query:
//Description:
//The query looks for several different MITRE techniques, grouped by risk level.
//A weighting is applied to each risk level and a total score calculated per machine
//Techniques can be added/removed as required
//
let weights = dynamic({"Low":1, "Medium":3, "High":5}); //Assign weights to the risk levels
//Low risk events
let lowRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "powershell.exe" and ProcessCommandLine has "-command") //T1086 PowerShell
or
(FileName =~ "powershell.exe" and ProcessCommandLine contains "-nop") //T1086 PowerShell
or
(FileName =~ "schtasks.exe" and ProcessCommandLine has "create") //T1053 Scheduled Task
or
(FileName =~ "installutil.exe") //T1118 InstallUtil
or
(FileName =~ "msbuild.exe") //T1127 Trusted Developer Utilities
or
(FileName =~ "nbtstat.exe") //T1016 System Network Configuration Discovery
or
(FileName == "mshta.exe") //T1170 Mshta
or
(FileName =~ "netsh.exe") //T1089 Disabling Security Tools, T1063 Security Software Discovery
or
(FileName == "net.exe" and ProcessCommandLine has " start ") //T1007 System Service Discovery
| extend Weight = toint((weights["Low"]));
//Medium risk events
let mediumRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "regsvcs.exe") //T1121 Regsvcs/Regasm
or
(FileName =~ "arp.exe" and ProcessCommandLine has "-a") //T1016 System Network Configuration Discovery
or
(FileName =~ "ipconfig.exe" and ProcessCommandLine has "all") //T1016 System Network Configuration Discovery
or
(FileName startswith "psexe") //T1035 Service Execution
or
(FileName == "net.exe" and ProcessCommandLine has " share ") //T1135 Network Share Discovery
or
(FileName =~ "netsh.exe" and ProcessCommandLine has "interface show") //T1016 System Network Configuration Discovery
| extend Weight = toint((weights["Medium"]));
//Higher risk events
let highRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "net.exe" and ProcessCommandLine has "config") //T1016 System Network Configuration Discovery
or
(FileName =~ "net.exe" and ProcessCommandLine has "time") //T1124 System Time Discovery
or
(FileName =~ "w32tm.exe" and ProcessCommandLine has "/tz") //T1124 System Time Discovery
or
(FileName == "cmstp.exe") //T1191 CMSTP
or
(FileName =~ "netsh.exe" and (ProcessCommandLine has "portproxy" or ProcessCommandLine has "p")) //T1090 Connection Proxy
| extend Weight = toint((weights["High"]));
union kind=outer lowRiskEvents, mediumRiskEvents, highRiskEvents
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, Weight
| summarize Start_Time=min(Timestamp), End_Time=max(Timestamp), Weight_Sum=sum(Weight), Processes=makeset(FileName), Commands=makeset(ProcessCommandLine) by DeviceName
| where Weight_Sum > 30
| sort by Weight_Sum desc

Query Source: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

Thanks & Regards,
Pratik Pashte

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,123 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,051 Reputation points Microsoft Employee
    2020-10-05T23:08:27.25+00:00

    @Pratik Pashte
    Thanks for your post!

    The GitHub link you posted, down at the bottom, you should be able to reach out to the developers who made this query by emailing - "wdatpqueriesfeedback@microsoft.com", you should also be able to create an issue on the repo itself, after clicking on the "issue page" link.

    30291-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "mark as answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.