Question Analysis
In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections.
f069f0f1-baad-4831-aa2b-eddac4baac4a
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-NetTCPConnection
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine contains "Get-NetTCPConnection" or ProcessCommandLine contains "netstat"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 12.94s | 0.0055 |
| gpt-35-turbo | Get-NetTCPConnection | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine has 'Get-NetTCPConnection' | Correct | 1 | 3.93s | 0.0033 |
| gpt-4-turbo-2024-04-09 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat'
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 10.86s | 0.0533 |
| gpt-4.1 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetTCPConn")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| extend ExecutedCmdlet = case(ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has "Get-NetTCPConn", "Get-NetTCPConn", ProcessCommandLine has "netstat", "netstat", "Unknown") | Correct | 1 | 4.63s | 0.0117 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0845 |
| gpt-4.1-mini | Get-NetTCPConnection | DeviceProcessEvents
| where ProcessCommandLine has "powershell"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetConnectionProfile", "Get-NetUDPEndpoint")
| summarize Count = count(), SampleCommands = make_list(ProcessCommandLine, 10) by InitiatingProcessAccountName, DeviceName, FileName
| order by Count desc | Correct | 1 | 17.48s | 0.0022 |
| gpt-4.1-nano | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine contains 'Get-NetTCPConnection'
| project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId
| order by Timestamp desc | Correct | 1 | 21.72s | 0.0005 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0640 |
| grok-3-beta | Get-NetTCPConnection | DeviceProcessEvents
| where FileName contains "powershell.exe" or InitiatingProcessFileName contains "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
or InitiatingProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
| project DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
| order by Timestamp desc | Correct | 1 | 12.13s | 0.0363 |
| grok-3-mini-beta | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 10.28s | 0.0016 |
| o1-high | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "powershell_ise.exe"
| where ProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 36.45s | 0.1994 |
| o1-low | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | Correct | 1 | 23.29s | 0.1788 |
| o3-mini-high | Get-NetTCPConnection | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) has "powershell"
| where tolower(InitiatingProcessCommandLine) has "nettcpconnection"
| extend PS_Cmdlet = extract(@"(Get-[^\s]+)", 1, InitiatingProcessCommandLine)
| where isnotempty(PS_Cmdlet)
| summarize Count = count() by PS_Cmdlet
| order by Count desc | Correct | 2 | 19.24s | 0.0198 |
| o3-mini-low | Get-NetTCPConnection | union DeviceProcessEvents, DeviceEvents
| where (FileName =~ "powershell.exe" or InitiatingProcessFileName =~ "powershell.exe")
| where InitiatingProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessId
| summarize Occurrences=count() by DeviceName, InitiatingProcessCommandLine
| order by Occurrences desc | Correct | 2 | 99.24s | 0.0219 |
| o4-mini-high | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine contains "Get-NetTCPConnection"
| extend Cmdlet = extract(@"(Get-NetTCPConnection)", 1, ProcessCommandLine)
| summarize Count = count() by Cmdlet
| order by Count desc | Correct | 1 | 31.80s | 0.0129 |
| o4-mini-low | Get-NetTCPConnection | DeviceProcessEvents
| where FileName endswith "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStats", "netstat")
| extend Cmdlet = extract(@"(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStats|netstat)\b", 1, ProcessCommandLine)
| summarize Count = count() by Cmdlet
| order by Count desc | Correct | 1 | 39.37s | 0.0145 |