// question

Investigate Linux process or syslog records to find any invocation of the 'find' utility used to scan /usr/bin for files with the setuid bit. What was the full command executed?

Reference KQL answer and model-by-model comparison.

8e36da01-cd29-45fd-be72-8a0fcaad4481
question id
17/23
models correct
1
valid answer
74%
success rate
// reference answer

Human-validated correct answer for this question.

find /usr/bin -perm -4000
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0219
gpt-35-turbo
sh -c "find /usr/bin -perm -4000"
DeviceProcessEvents
| where ProcessCommandLine contains 'find /usr/bin -perm -4000'
pass14.29s0.0040
gpt-4-turbo-2024-04-09
find /usr/bin -perm -4000
DeviceProcessEvents
| where ProcessCommandLine contains 'find' and ProcessCommandLine contains '/usr/bin' and ProcessCommandLine contains '-perm -4000'
| project DeviceName, AccountName, ProcessCommandLine
| distinct ProcessCommandLine
pass110.67s0.0526
gpt-4.1
find /usr/bin -perm -4000
DeviceProcessEvents
| where FileName == "find"
| where ProcessCommandLine has "/usr/bin"
    and ProcessCommandLine has_any ("-perm /4000", "-perm -4000", "-perm +4000")
| project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, FolderPath, ProcessCommandLine
pass14.18s0.0110
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0342
gpt-4.1-mini
find /usr/bin/crontab /usr/bin/ssh-agent /usr/bin/expiry /usr/bin/chage /usr/sbin/unix_chkpwd /usr/sbin/pam_extrausers_chkpwd /usr/lib/x86_64-linux-gnu/utempter/utempter -perm -2000 -type f -exec ls -la {} ;
DeviceProcessEvents
| where ProcessCommandLine has "find"
    and ProcessCommandLine has "/usr/bin"
    and ProcessCommandLine has "-perm"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
fail15.09s0.0030
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0011
gpt-4o
find /usr/bin -perm -4000
DeviceProcessEvents
| where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm" and ProcessCommandLine contains "4000"
    or InitiatingProcessCommandLine contains "find" and InitiatingProcessCommandLine contains "/usr/bin" and InitiatingProcessCommandLine contains "-perm" and InitiatingProcessCommandLine contains "4000"
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
pass221.71s0.0281
gpt-5-high
find /usr/bin -perm -4000
let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, DeviceName;
let ProcessFind =
    DeviceProcessEvents
    | where FileName =~ "find" or ProcessCommandLine contains "find"
    | where ProcessCommandLine contains "/usr/bin"
    | where ProcessCommandLine contains "-perm"
    | where ProcessCommandLine contains "-4000" or ProcessCommandLine contains "/4000" or ProcessCommandLine contains "u=s" or ProcessCommandLine contains "u+s"
    | join kind=inner LinuxDevices on DeviceId
    | project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=ProcessCommandLine, Source="DeviceProcessEvents";
let SyslogFind =
    DeviceEvents
    | join kind=inner LinuxDevices on DeviceId
    | extend SyslogText = coalesce(tostring(AdditionalFields.Message), tostring(AdditionalFields.msg), tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.EventText), tostring(AdditionalFields.audispd_raw), tostring(AdditionalFields.rawlog), tostring(AdditionalFields))
    | where isnotempty(SyslogText)
    | where SyslogText contains "find" and SyslogText contains "/usr/bin" and SyslogText contains "-perm"
    | where SyslogText contains "-4000" or SyslogText contains "/4000" or SyslogText contains "u=s" or SyslogText contains "u+s"
    | project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=SyslogText, Source="DeviceEvents(Syslog/Audit)";
let Results = union ProcessFind, SyslogFind;
Results
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), ExecCount=count(), Devices=make_set(DeviceName, 100) by CommandLine
| order by LastSeen desc
pass2120.39s0.1054
gpt-5-mini-high
find /usr/bin -perm -4000
// Find invocations of 'find' scanning /usr/bin for setuid files across process and syslog-like events
// Timerange is provided by external function caller

let findCmdPatterns = dynamic([
  "find /usr/bin -perm -4000",
  "find /usr/bin -perm /4000",
  "find /usr/bin -perm -u=s",
  "find /usr/bin -type f -perm -4000",
  "find /usr/bin -type f -perm /u=s",
  "find /usr/bin -perm -g=s",
  "find /usr/bin -perm -o=s",
  "find /usr/bin -perm /u=s",
  "find /usr/bin -name '*suid*'"
]);

// Helper: match any of the patterns case-insensitively
let matchesPattern = (s:string) {
    tolower(s)
    | where s contains "find /usr/bin" and (
        s contains "-perm" or s contains "-u=s" or s contains "-g=s" or s contains "-o=s" or s contains "-type f"
    )
};

// Search DeviceProcessEvents which most reliably contains full process command lines
DeviceProcessEvents
| where isnotempty(ProcessCommandLine) and tolower(FileName) contains "find"
| where ProcessCommandLine contains "/usr/bin" or ProcessCommandLine contains " /usr/bin" or ProcessCommandLine contains "find /usr/bin"
| where ProcessCommandLine contains "-perm" or ProcessCommandLine contains "-u=s" or ProcessCommandLine contains "-g=s" or ProcessCommandLine contains "-o=s" or ProcessCommandLine contains "-type"
| project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId
| extend Source = "DeviceProcessEvents"

// Also search DeviceEvents (syslog-ish) where command lines may be logged in AdditionalFields or ProcessCommandLine/InitiatingProcessCommandLine
| union (
    DeviceEvents
    | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(AdditionalFields)
    | extend AF = tostring(AdditionalFields)
    | where (tolower(FileName) has "find")
        or (isnotempty(ProcessCommandLine) and (ProcessCommandLine contains "find /usr/bin" or ProcessCommandLine contains "/usr/bin -perm"))
        or (isnotempty(InitiatingProcessCommandLine) and (InitiatingProcessCommandLine contains "find /usr/bin" or InitiatingProcessCommandLine contains "/usr/bin -perm"))
        or (AF contains "find /usr/bin" or AF contains "-perm -4000" or AF contains "-perm /4000" or AF contains "-u=s")
    | project TimeGenerated, DeviceName, AccountName, ProcessId = InitiatingProcessId, ProcessCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, AF), InitiatingProcessFileName, FileName, FolderPath, ReportId
    | extend Source = "DeviceEvents"
)
| distinct DeviceName, TimeGenerated, AccountName, ProcessId, ProcessCommandLine, Source, InitiatingProcessFileName, FileName, FolderPath, ReportId
| order by TimeGenerated desc
| limit 100
pass124.47s0.0055
gpt-5-mini-low
find /usr/bin -perm -4000
// Find invocations of 'find' scanning /usr/bin for setuid files
let tstart = ago(7d);

// DeviceProcessEvents: primary source for Linux process command lines
let p = DeviceProcessEvents
| where TimeGenerated >= tstart
| where isnotempty(ProcessCommandLine)
| extend Cmd = tostring(ProcessCommandLine), Account = coalesce(AccountName, InitiatingProcessAccountName)
| project TimeGenerated, DeviceName, DeviceId, ProcessId, FileName, Cmd, Account;

// DeviceEvents: may include ProcessCommandLine, InitiatingProcessCommandLine, or AdditionalFields
let e = DeviceEvents
| where TimeGenerated >= tstart
| extend Cmd = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine), tostring(AdditionalFields)), Account = coalesce(AccountName, InitiatingProcessAccountName)
| where isnotempty(Cmd)
| project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account;

// DeviceFileEvents: initiating process command line
let f = DeviceFileEvents
| where TimeGenerated >= tstart
| where isnotempty(InitiatingProcessCommandLine)
| extend Cmd = tostring(InitiatingProcessCommandLine), Account = InitiatingProcessAccountName
| project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account;

union p, e, f
| extend lcCmd = tolower(Cmd)
| where lcCmd contains "find"
  and (lcCmd contains "/usr/bin" or lcCmd contains "-perm" or lcCmd contains "4000" or lcCmd contains "u=s")
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), DeviceIds=make_set(DeviceId) by FullCommand = Cmd
| order by FirstSeen desc
| project FirstSeen, LastSeen, Count, Devices, DeviceIds, FullCommand
| take 200
pass5105.90s0.0244
gpt-5-mini-medium
find /usr/bin -perm -4000
// Find invocations of `find` that target /usr/bin or use -perm/setuid patterns

DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| extend cmd = tolower(ProcessCommandLine)
| where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f')
| extend FullCommand = trim(' ', ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceProcessEvents'

| union (
    DeviceEvents
    | extend rawCmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields), '')
    | where rawCmd != ''
    | extend cmd = tolower(rawCmd)
    | where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f')
    | extend FullCommand = trim(' ', rawCmd)
    | project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceEvents'
)
| sort by TimeGenerated desc
| distinct FullCommand, DeviceName, ProcessId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable
| take 200
pass246.15s0.0181
gpt-5-nano-high
sh -c "find /usr/bin -perm -4000"
let startTime = ago(1d);
let endTime = now();

let linux_find_process =
DeviceProcessEvents
| where TimeGenerated between (startTime .. endTime)
| where InitiatingProcessCommandLine contains "find"
| where InitiatingProcessCommandLine contains "/usr/bin"
| where InitiatingProcessCommandLine contains "-perm" and ((InitiatingProcessCommandLine contains "4000") or (InitiatingProcessCommandLine contains "-4000"))
| join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId
| where OSPlatform contains "Linux"
| project TimeGenerated, DeviceName, OSPlatform, CommandLine = InitiatingProcessCommandLine;

let linux_syslog =
DeviceEvents
| where TimeGenerated between (startTime .. endTime)
| where Type has "Syslog"
| extend SyslogText = tostring(AdditionalFields)
| where SyslogText contains "find" and SyslogText contains "/usr/bin"
| join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId
| where OSPlatform contains "Linux"
| project TimeGenerated, DeviceName, OSPlatform, CommandLine = SyslogText;

linux_find_process
| union linux_syslog
| sort by TimeGenerated desc
| take 100
pass4125.38s0.0080
gpt-5-nano-medium
sh -c "find /usr/bin -perm -4000"
DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)
| extend CmdLine = iff(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine)
| where tolower(CmdLine) contains "find"
| where tolower(CmdLine) contains "/usr/bin"
| where (tolower(CmdLine) contains "-perm" and (tolower(CmdLine) contains "4000" or tolower(CmdLine) contains "04000"))
  or (tolower(CmdLine) contains "setuid")
| project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, CmdLine
| sort by TimeGenerated desc
pass135.03s0.0019
grok-3-beta
find /usr/bin -perm -4000
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName == 'find'
| where ProcessCommandLine contains '/usr/bin'
| where ProcessCommandLine contains '-perm -4000' or ProcessCommandLine contains '-perm -u=s'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
pass214.74s0.0383
grok-3-mini-beta
sh -c "find /usr/bin -perm -2000"
DeviceProcessEvents
| where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm"
| project TimeGenerated, DeviceName, DeviceId, ProcessCommandLine
| order by TimeGenerated desc
fail114.66s0.0021
o1-high
find /usr/bin -perm -4000
DeviceProcessEvents
| join kind=inner (
    DeviceInfo
    | where OSPlatform =~ "Linux"
) on DeviceId
| where FileName endswith "find"
| where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" and ProcessCommandLine has "4000"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine
pass156.63s0.3844
o1-low
find_/usr/bin_-perm_-4000
DeviceProcessEvents
| where FileName =~ "find" or ProcessCommandLine contains "find"
| where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm"
| where ProcessCommandLine has "4000" or ProcessCommandLine has "u=s"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass140.54s0.3104
o3-high
find /usr/bin -perm -4000
// --- Find invocations of the "find" utility that search /usr/bin for set-uid files
let cmdRegex = @"-perm\s+(-?[0-7]*4000|/[0-7]*4000|u=s)";
let LinuxDevices = union isfuzzy=true (
    DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId
) ;
union isfuzzy=true
(
    DeviceProcessEvents
    | where DeviceId in (LinuxDevices)  // limit to Linux hosts
    | where FileName == "find"
    | where ProcessCommandLine has "/usr/bin"
    | where ProcessCommandLine matches regex cmdRegex
    | project
        TimeGenerated,
        DeviceName,
        DeviceId,
        AccountDomain,
        AccountName,
        FullCommandLine = ProcessCommandLine,
        InitiatingProcessCommandLine
),
(
    Syslog
    | where SyslogMessage has "find" and SyslogMessage has "/usr/bin"
    | where SyslogMessage matches regex cmdRegex
    | project
        TimeGenerated,
        DeviceName = Computer,
        DeviceId = tostring(extract("deviceId=([0-9A-Fa-f-]+)", 1, _ResourceId)),
        AccountDomain = "",
        AccountName = User,
        FullCommandLine = SyslogMessage,
        InitiatingProcessCommandLine = ""
)
| order by TimeGenerated desc
pass254.22s0.0399
o3-mini-high
sh -c "find /usr/bin -perm -4000"
DeviceProcessEvents
| where InitiatingProcessCommandLine has "find"
      and InitiatingProcessCommandLine has "/usr/bin"
      and (InitiatingProcessCommandLine contains "4000" or InitiatingProcessCommandLine contains "setuid")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass162.28s0.0111
o3-mini-low
sh -c "find /usr/bin -perm -4000"
DeviceProcessEvents
| where InitiatingProcessCommandLine has "find" and InitiatingProcessCommandLine has "/usr/bin"
| where InitiatingProcessCommandLine has "-perm"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass127.02s0.0151
o4-mini-high
no answer
no query generatedfail50.00s0.0493
o4-mini-low
find /usr/bin -perm -4000
DeviceProcessEvents
| join kind=inner (
    DeviceInfo
    | where OSPlatform =~ "Linux"
    | distinct DeviceId
) on DeviceId
// Look for the 'find' binary and arguments scanning /usr/bin for setuid files
| where FileName == "find"
| where ProcessCommandLine contains "/usr/bin"
| where ProcessCommandLine contains "-perm"
| where ProcessCommandLine contains "4000"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine
| sort by TimeGenerated desc
pass136.63s0.0092