Question Analysis
In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections.
f069f0f1-baad-4831-aa2b-eddac4baac4a
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-NetTCPConnection
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine contains "Get-NetTCPConnection" or ProcessCommandLine contains "netstat"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 12.94s | 0.0055 |
| gpt-35-turbo | Get-NetTCPConnection | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine has 'Get-NetTCPConnection' | Correct | 1 | 3.93s | 0.0033 |
| gpt-4-turbo-2024-04-09 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat'
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 10.86s | 0.0533 |
| gpt-4.1 | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetTCPConn")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| extend ExecutedCmdlet = case(ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection", ProcessCommandLine has "Get-NetTCPConn", "Get-NetTCPConn", ProcessCommandLine has "netstat", "netstat", "Unknown") | Correct | 1 | 4.63s | 0.0117 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0845 |
| gpt-4.1-mini | Get-NetTCPConnection | DeviceProcessEvents
| where ProcessCommandLine has "powershell"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetConnectionProfile", "Get-NetUDPEndpoint")
| summarize Count = count(), SampleCommands = make_list(ProcessCommandLine, 10) by InitiatingProcessAccountName, DeviceName, FileName
| order by Count desc | Correct | 1 | 17.48s | 0.0022 |
| gpt-4.1-nano | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine contains 'Get-NetTCPConnection'
| project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId
| order by Timestamp desc | Correct | 1 | 21.72s | 0.0005 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0640 |
| gpt-5-high | Get-NetTCPConnection | let psh_from_deviceevents =
DeviceEvents
| where ActionType in ("PowerShellCommand", "PowerShellScriptBlockLogging")
| extend ScriptText = tostring(iff(ActionType == "PowerShellScriptBlockLogging", AdditionalFields.ScriptBlockText, coalesce(AdditionalFields.Command, AdditionalFields.ScriptContent, AdditionalFields.CommandLine)))
| extend CommandName = tostring(AdditionalFields.CommandName)
| where CommandName =~ "Get-NetTCPConnection" or ScriptText has "Get-NetTCPConnection"
| extend Cmdlet = iif(isnotempty(CommandName), CommandName, extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ScriptText))
| project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=coalesce(ScriptText, InitiatingProcessCommandLine);
let psh_from_processevents =
DeviceProcessEvents
| where (InitiatingProcessFileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") or FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe"))
| where ProcessCommandLine has "Get-NetTCPConnection"
| extend Cmdlet = extract(@"(?i)\b(Get-NetTCPConnection)\b", 1, ProcessCommandLine)
| project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, Cmdlet, CommandText=ProcessCommandLine;
union isfuzzy=true psh_from_deviceevents, psh_from_processevents
| extend ExecutingAccount = coalesce(AccountName, InitiatingProcessAccountName)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count(), SampleCommand=any(CommandText) by DeviceId, DeviceName, ExecutingAccount, Cmdlet
| extend StateFilter = extract(@"(?i)-State\s+([A-Za-z,]+)", 1, SampleCommand)
| order by LastSeen desc | Correct | 1 | 93.35s | 0.0461 |
| gpt-5-mini-high | Get-NetTCPConnection | // PowerShell processes used to enumerate network connections
DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe' or ProcessCommandLine has 'powershell' or ProcessCommandLine has 'pwsh'
// Look for common cmdlets and commands used to list TCP connections
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStatistics", "Get-NetAdapter", "netstat", "ss -t", "Get-NetConnectionProfile", "Get-NetIPConnection")
| extend MatchedCommand = case(
ProcessCommandLine has "Get-NetTCPConnection", "Get-NetTCPConnection",
ProcessCommandLine has "netstat", "netstat",
ProcessCommandLine has "ss -t", "ss -t",
ProcessCommandLine has "Get-NetUDPEndpoint", "Get-NetUDPEndpoint",
ProcessCommandLine has "Get-NetTCPStatistics", "Get-NetTCPStatistics",
ProcessCommandLine has "Get-NetConnectionProfile", "Get-NetConnectionProfile",
ProcessCommandLine has "Get-NetIPConnection", "Get-NetIPConnection",
"other")
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine
| order by LastSeen desc, Count desc
| project FirstSeen, LastSeen, Count, DeviceName, AccountName, ProcessId, InitiatingProcessId, MatchedCommand, ProcessCommandLine
| Correct | 1 | 10.67s | 0.0030 |
| gpt-5-mini-low | Get-NetTCPConnection | let powershellNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
let networkIndicators = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetTCPStatistics","Get-NetIPStatistics","Get-NetIPAddress","Get-NetConnectionProfile","Get-NetTCPInfo","netstat","Get-NetTCP*","Get-Net*Connection","Get-Net*TCP","Get-Net*UDP"]);
// Helper: search DeviceProcessEvents (and DeviceEvents) for PowerShell and likely network enumeration commands
union isfuzzy=true
(
DeviceProcessEvents
| where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh"
| extend CommandLine = tostring(ProcessCommandLine), EventSource = "DeviceProcessEvents", Time = TimeGenerated
),
(
DeviceEvents
| where FileName in (powershellNames) or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh"
| extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), EventSource = "DeviceEvents", Time = TimeGenerated
)
| where isnotempty(CommandLine)
// Focus on command lines that contain likely network enumeration indicators
| where CommandLine matches regex @"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b"
| extend Matched = extract(@"(?i)\b(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStatistics|Get-NetIPStatistics|Get-NetIPAddress|Get-NetConnectionProfile|Get-NetTCPInfo|netstat)\b", 1, CommandLine)
// Normalize common variations
| extend Matched = case(tolower(Matched)=="netstat","netstat", tostring(Matched))
| extend Matched = iif(isempty(Matched), "unknown", Matched)
| project Time, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain, CommandLine, Matched, EventSource
| summarize Count = count(), SampleCommandLine = any(CommandLine), ExampleTime = min(Time) by Matched, DeviceName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessId, AccountName, AccountDomain
| order by Count desc
| take 100
| Correct | 1 | 18.50s | 0.0049 |
| gpt-5-mini-medium | Get-NetTCPConnection | // Find PowerShell processes that enumerated network connections
union isfuzzy=true
DeviceEvents
, DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
// Filter for PowerShell process executables or PowerShell in command line
| where (FileName has_cs "powershell" or FileName has_cs "pwsh" or ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or InitiatingProcessFileName has_cs "powershell" or InitiatingProcessFileName has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh")
// Look for network enumeration cmdlets or tools commonly used
| where ProcessCommandLine has_cs "Get-NetTCPConnection" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "Get-NetTCPStatistics" or ProcessCommandLine has_cs "Get-NetUDPEndpoint" or ProcessCommandLine has_cs "netstat" or ProcessCommandLine has_cs "Get-NetTCP" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "Get-NetTCP"
// Extract the cmdlet/tool name
| extend Cmdlet = case(
ProcessCommandLine has_cs "Get-NetTCPConnection" or InitiatingProcessCommandLine has_cs "Get-NetTCPConnection", "Get-NetTCPConnection",
ProcessCommandLine has_cs "Get-NetUDPEndpoint" or InitiatingProcessCommandLine has_cs "Get-NetUDPEndpoint", "Get-NetUDPEndpoint",
ProcessCommandLine has_cs "Get-NetTCPStatistics" or InitiatingProcessCommandLine has_cs "Get-NetTCPStatistics", "Get-NetTCPStatistics",
ProcessCommandLine has_cs "netstat" or InitiatingProcessCommandLine has_cs "netstat", "netstat",
ProcessCommandLine has_cs "Get-NetTCP", "Get-NetTCP",
"other")
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, Cmdlet, ReportId, TenantId
| summarize Count = count(), Samples = make_list(pack('TimeGenerated', TimeGenerated, 'DeviceName', DeviceName, 'ProcessId', ProcessId, 'ProcessCommandLine', ProcessCommandLine, 'InitiatingProcessId', InitiatingProcessId, 'InitiatingProcessCommandLine', InitiatingProcessCommandLine), 5) by Cmdlet
| order by Count desc | Correct | 1 | 12.69s | 0.0040 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0083 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0078 |
| grok-3-beta | Get-NetTCPConnection | DeviceProcessEvents
| where FileName contains "powershell.exe" or InitiatingProcessFileName contains "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
or InitiatingProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
| project DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
| order by Timestamp desc | Correct | 1 | 12.13s | 0.0363 |
| grok-3-mini-beta | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-NetTCPConnection' or ProcessCommandLine contains 'netstat'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 10.28s | 0.0016 |
| o1-high | Get-NetTCPConnection | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "powershell_ise.exe"
| where ProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 36.45s | 0.1994 |
| o1-low | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | Correct | 1 | 23.29s | 0.1788 |
| o3-high | Get-NetTCPConnection | // Find PowerShell processes that enumerated network connections (e.g. active TCP)
// Time range is controlled by the portal (TimeGenerated)
let PowerShellHosts = dynamic(["powershell.exe","powershell_ise.exe","pwsh.exe","pwsh"]);
let NetEnumerationCmdlets = dynamic(["Get-NetTCPConnection","Get-NetUDPEndpoint","Get-NetIPConnection","netstat"]);
DeviceProcessEvents
| where FileName in~ (PowerShellHosts) // limit to PowerShell hosts (case-insensitive)
| where ProcessCommandLine has_any(NetEnumerationCmdlets) // command-line contains one of the enumeration cmdlets
| extend CmdletExecuted = tostring(extract(@"(?i)(get-nettcpconnection|get-netudpendpoint|get-netipconnection|netstat)",0,ProcessCommandLine))
| project TimeGenerated, DeviceName, AccountDomain, AccountName,
FileName, ProcessId, CmdletExecuted, ProcessCommandLine,
InitiatingProcessParentFileName, InitiatingProcessId
| sort by TimeGenerated desc | Correct | 2 | 46.64s | 0.0334 |
| o3-mini-high | Get-NetTCPConnection | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) has "powershell"
| where tolower(InitiatingProcessCommandLine) has "nettcpconnection"
| extend PS_Cmdlet = extract(@"(Get-[^\s]+)", 1, InitiatingProcessCommandLine)
| where isnotempty(PS_Cmdlet)
| summarize Count = count() by PS_Cmdlet
| order by Count desc | Correct | 2 | 19.24s | 0.0198 |
| o3-mini-low | Get-NetTCPConnection | union DeviceProcessEvents, DeviceEvents
| where (FileName =~ "powershell.exe" or InitiatingProcessFileName =~ "powershell.exe")
| where InitiatingProcessCommandLine has "Get-NetTCPConnection"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessId
| summarize Occurrences=count() by DeviceName, InitiatingProcessCommandLine
| order by Occurrences desc | Correct | 2 | 99.24s | 0.0219 |
| o4-mini-high | Get-NetTCPConnection | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine contains "Get-NetTCPConnection"
| extend Cmdlet = extract(@"(Get-NetTCPConnection)", 1, ProcessCommandLine)
| summarize Count = count() by Cmdlet
| order by Count desc | Correct | 1 | 31.80s | 0.0129 |
| o4-mini-low | Get-NetTCPConnection | DeviceProcessEvents
| where FileName endswith "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "Get-NetTCPStats", "netstat")
| extend Cmdlet = extract(@"(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|Get-NetTCPStats|netstat)\b", 1, ProcessCommandLine)
| summarize Count = count() by Cmdlet
| order by Count desc | Correct | 1 | 39.37s | 0.0145 |