Event ID 9007001 — PowerShell command executed

Provider: Defender-DeviceEvents
Channel: PowerShellCommand

Description

PowerShell command executed — PowerShell ScriptBlockLogging captures the same surface.

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`AdditionalFields`	—
`InitiatingProcessFileName`	—
`InitiatingProcessCommandLine`	—

Detection Patterns #

Execution: Command and Scripting Interpreter

Defender-DeviceEvents Event ID 9007001: PowerShell command executedORPowerShell Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).

1 rule

Kusto Query Language

Suspicious Powershell Commandlet Executed (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table