// question
Investigate Linux process or syslog records to find any invocation of the 'find' utility used to scan /usr/bin for files with the setuid bit. What was the full command executed?
Reference KQL answer and model-by-model comparison.
8e36da01-cd29-45fd-be72-8a0fcaad4481
question id
17/23
models correct
1
valid answer
74%
success rate
// reference answer
Human-validated correct answer for this question.
find /usr/bin -perm -4000
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0219 |
| gpt-35-turbo | sh -c "find /usr/bin -perm -4000" | DeviceProcessEvents | where ProcessCommandLine contains 'find /usr/bin -perm -4000' | pass | 1 | 4.29s | 0.0040 |
| gpt-4-turbo-2024-04-09 | find /usr/bin -perm -4000 | DeviceProcessEvents | where ProcessCommandLine contains 'find' and ProcessCommandLine contains '/usr/bin' and ProcessCommandLine contains '-perm -4000' | project DeviceName, AccountName, ProcessCommandLine | distinct ProcessCommandLine | pass | 1 | 10.67s | 0.0526 |
| gpt-4.1 | find /usr/bin -perm -4000 | DeviceProcessEvents
| where FileName == "find"
| where ProcessCommandLine has "/usr/bin"
and ProcessCommandLine has_any ("-perm /4000", "-perm -4000", "-perm +4000")
| project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, FolderPath, ProcessCommandLine | pass | 1 | 4.18s | 0.0110 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0342 |
| gpt-4.1-mini | find /usr/bin/crontab /usr/bin/ssh-agent /usr/bin/expiry /usr/bin/chage /usr/sbin/unix_chkpwd /usr/sbin/pam_extrausers_chkpwd /usr/lib/x86_64-linux-gnu/utempter/utempter -perm -2000 -type f -exec ls -la {} ; | DeviceProcessEvents
| where ProcessCommandLine has "find"
and ProcessCommandLine has "/usr/bin"
and ProcessCommandLine has "-perm"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | fail | 1 | 5.09s | 0.0030 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0011 |
| gpt-4o | find /usr/bin -perm -4000 | DeviceProcessEvents
| where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm" and ProcessCommandLine contains "4000"
or InitiatingProcessCommandLine contains "find" and InitiatingProcessCommandLine contains "/usr/bin" and InitiatingProcessCommandLine contains "-perm" and InitiatingProcessCommandLine contains "4000"
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine | pass | 2 | 21.71s | 0.0281 |
| gpt-5-high | find /usr/bin -perm -4000 | let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId, DeviceName;
let ProcessFind =
DeviceProcessEvents
| where FileName =~ "find" or ProcessCommandLine contains "find"
| where ProcessCommandLine contains "/usr/bin"
| where ProcessCommandLine contains "-perm"
| where ProcessCommandLine contains "-4000" or ProcessCommandLine contains "/4000" or ProcessCommandLine contains "u=s" or ProcessCommandLine contains "u+s"
| join kind=inner LinuxDevices on DeviceId
| project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=ProcessCommandLine, Source="DeviceProcessEvents";
let SyslogFind =
DeviceEvents
| join kind=inner LinuxDevices on DeviceId
| extend SyslogText = coalesce(tostring(AdditionalFields.Message), tostring(AdditionalFields.msg), tostring(AdditionalFields.SyslogMessage), tostring(AdditionalFields.EventText), tostring(AdditionalFields.audispd_raw), tostring(AdditionalFields.rawlog), tostring(AdditionalFields))
| where isnotempty(SyslogText)
| where SyslogText contains "find" and SyslogText contains "/usr/bin" and SyslogText contains "-perm"
| where SyslogText contains "-4000" or SyslogText contains "/4000" or SyslogText contains "u=s" or SyslogText contains "u+s"
| project Timestamp, DeviceId, DeviceName, AccountName, CommandLine=SyslogText, Source="DeviceEvents(Syslog/Audit)";
let Results = union ProcessFind, SyslogFind;
Results
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), ExecCount=count(), Devices=make_set(DeviceName, 100) by CommandLine
| order by LastSeen desc | pass | 2 | 120.39s | 0.1054 |
| gpt-5-mini-high | find /usr/bin -perm -4000 | // Find invocations of 'find' scanning /usr/bin for setuid files across process and syslog-like events
// Timerange is provided by external function caller
let findCmdPatterns = dynamic([
"find /usr/bin -perm -4000",
"find /usr/bin -perm /4000",
"find /usr/bin -perm -u=s",
"find /usr/bin -type f -perm -4000",
"find /usr/bin -type f -perm /u=s",
"find /usr/bin -perm -g=s",
"find /usr/bin -perm -o=s",
"find /usr/bin -perm /u=s",
"find /usr/bin -name '*suid*'"
]);
// Helper: match any of the patterns case-insensitively
let matchesPattern = (s:string) {
tolower(s)
| where s contains "find /usr/bin" and (
s contains "-perm" or s contains "-u=s" or s contains "-g=s" or s contains "-o=s" or s contains "-type f"
)
};
// Search DeviceProcessEvents which most reliably contains full process command lines
DeviceProcessEvents
| where isnotempty(ProcessCommandLine) and tolower(FileName) contains "find"
| where ProcessCommandLine contains "/usr/bin" or ProcessCommandLine contains " /usr/bin" or ProcessCommandLine contains "find /usr/bin"
| where ProcessCommandLine contains "-perm" or ProcessCommandLine contains "-u=s" or ProcessCommandLine contains "-g=s" or ProcessCommandLine contains "-o=s" or ProcessCommandLine contains "-type"
| project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId
| extend Source = "DeviceProcessEvents"
// Also search DeviceEvents (syslog-ish) where command lines may be logged in AdditionalFields or ProcessCommandLine/InitiatingProcessCommandLine
| union (
DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(AdditionalFields)
| extend AF = tostring(AdditionalFields)
| where (tolower(FileName) has "find")
or (isnotempty(ProcessCommandLine) and (ProcessCommandLine contains "find /usr/bin" or ProcessCommandLine contains "/usr/bin -perm"))
or (isnotempty(InitiatingProcessCommandLine) and (InitiatingProcessCommandLine contains "find /usr/bin" or InitiatingProcessCommandLine contains "/usr/bin -perm"))
or (AF contains "find /usr/bin" or AF contains "-perm -4000" or AF contains "-perm /4000" or AF contains "-u=s")
| project TimeGenerated, DeviceName, AccountName, ProcessId = InitiatingProcessId, ProcessCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, AF), InitiatingProcessFileName, FileName, FolderPath, ReportId
| extend Source = "DeviceEvents"
)
| distinct DeviceName, TimeGenerated, AccountName, ProcessId, ProcessCommandLine, Source, InitiatingProcessFileName, FileName, FolderPath, ReportId
| order by TimeGenerated desc
| limit 100
| pass | 1 | 24.47s | 0.0055 |
| gpt-5-mini-low | find /usr/bin -perm -4000 | // Find invocations of 'find' scanning /usr/bin for setuid files let tstart = ago(7d); // DeviceProcessEvents: primary source for Linux process command lines let p = DeviceProcessEvents | where TimeGenerated >= tstart | where isnotempty(ProcessCommandLine) | extend Cmd = tostring(ProcessCommandLine), Account = coalesce(AccountName, InitiatingProcessAccountName) | project TimeGenerated, DeviceName, DeviceId, ProcessId, FileName, Cmd, Account; // DeviceEvents: may include ProcessCommandLine, InitiatingProcessCommandLine, or AdditionalFields let e = DeviceEvents | where TimeGenerated >= tstart | extend Cmd = coalesce(tostring(ProcessCommandLine), tostring(InitiatingProcessCommandLine), tostring(AdditionalFields)), Account = coalesce(AccountName, InitiatingProcessAccountName) | where isnotempty(Cmd) | project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account; // DeviceFileEvents: initiating process command line let f = DeviceFileEvents | where TimeGenerated >= tstart | where isnotempty(InitiatingProcessCommandLine) | extend Cmd = tostring(InitiatingProcessCommandLine), Account = InitiatingProcessAccountName | project TimeGenerated, DeviceName, DeviceId, ProcessId = tolong(InitiatingProcessId), FileName, Cmd, Account; union p, e, f | extend lcCmd = tolower(Cmd) | where lcCmd contains "find" and (lcCmd contains "/usr/bin" or lcCmd contains "-perm" or lcCmd contains "4000" or lcCmd contains "u=s") | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), Devices=make_set(DeviceName), DeviceIds=make_set(DeviceId) by FullCommand = Cmd | order by FirstSeen desc | project FirstSeen, LastSeen, Count, Devices, DeviceIds, FullCommand | take 200 | pass | 5 | 105.90s | 0.0244 |
| gpt-5-mini-medium | find /usr/bin -perm -4000 | // Find invocations of `find` that target /usr/bin or use -perm/setuid patterns
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| extend cmd = tolower(ProcessCommandLine)
| where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f')
| extend FullCommand = trim(' ', ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceProcessEvents'
| union (
DeviceEvents
| extend rawCmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields), '')
| where rawCmd != ''
| extend cmd = tolower(rawCmd)
| where cmd has 'find' and (cmd has '/usr/bin' or cmd has '-perm' or cmd has '4000' or cmd has '-u=s' or cmd has 'setuid' or cmd has '-type f')
| extend FullCommand = trim(' ', rawCmd)
| project TimeGenerated, DeviceName, ProcessId, FullCommand, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable = 'DeviceEvents'
)
| sort by TimeGenerated desc
| distinct FullCommand, DeviceName, ProcessId, TimeGenerated, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, SourceTable
| take 200 | pass | 2 | 46.15s | 0.0181 |
| gpt-5-nano-high | sh -c "find /usr/bin -perm -4000" | let startTime = ago(1d); let endTime = now(); let linux_find_process = DeviceProcessEvents | where TimeGenerated between (startTime .. endTime) | where InitiatingProcessCommandLine contains "find" | where InitiatingProcessCommandLine contains "/usr/bin" | where InitiatingProcessCommandLine contains "-perm" and ((InitiatingProcessCommandLine contains "4000") or (InitiatingProcessCommandLine contains "-4000")) | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform contains "Linux" | project TimeGenerated, DeviceName, OSPlatform, CommandLine = InitiatingProcessCommandLine; let linux_syslog = DeviceEvents | where TimeGenerated between (startTime .. endTime) | where Type has "Syslog" | extend SyslogText = tostring(AdditionalFields) | where SyslogText contains "find" and SyslogText contains "/usr/bin" | join kind=inner (DeviceInfo | project DeviceId, OSPlatform) on DeviceId | where OSPlatform contains "Linux" | project TimeGenerated, DeviceName, OSPlatform, CommandLine = SyslogText; linux_find_process | union linux_syslog | sort by TimeGenerated desc | take 100 | pass | 4 | 125.38s | 0.0080 |
| gpt-5-nano-medium | sh -c "find /usr/bin -perm -4000" | DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend CmdLine = iff(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine) | where tolower(CmdLine) contains "find" | where tolower(CmdLine) contains "/usr/bin" | where (tolower(CmdLine) contains "-perm" and (tolower(CmdLine) contains "4000" or tolower(CmdLine) contains "04000")) or (tolower(CmdLine) contains "setuid") | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, CmdLine | sort by TimeGenerated desc | pass | 1 | 35.03s | 0.0019 |
| grok-3-beta | find /usr/bin -perm -4000 | DeviceProcessEvents | where TimeGenerated > ago(30d) | where FileName == 'find' | where ProcessCommandLine contains '/usr/bin' | where ProcessCommandLine contains '-perm -4000' or ProcessCommandLine contains '-perm -u=s' | project Timestamp, DeviceName, AccountName, ProcessCommandLine | order by Timestamp desc | pass | 2 | 14.74s | 0.0383 |
| grok-3-mini-beta | sh -c "find /usr/bin -perm -2000" | DeviceProcessEvents | where ProcessCommandLine contains "find" and ProcessCommandLine contains "/usr/bin" and ProcessCommandLine contains "-perm" | project TimeGenerated, DeviceName, DeviceId, ProcessCommandLine | order by TimeGenerated desc | fail | 1 | 14.66s | 0.0021 |
| o1-high | find /usr/bin -perm -4000 | DeviceProcessEvents
| join kind=inner (
DeviceInfo
| where OSPlatform =~ "Linux"
) on DeviceId
| where FileName endswith "find"
| where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" and ProcessCommandLine has "4000"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine | pass | 1 | 56.63s | 0.3844 |
| o1-low | find_/usr/bin_-perm_-4000 | DeviceProcessEvents | where FileName =~ "find" or ProcessCommandLine contains "find" | where ProcessCommandLine has "/usr/bin" and ProcessCommandLine has "-perm" | where ProcessCommandLine has "4000" or ProcessCommandLine has "u=s" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 40.54s | 0.3104 |
| o3-high | find /usr/bin -perm -4000 | // --- Find invocations of the "find" utility that search /usr/bin for set-uid files
let cmdRegex = @"-perm\s+(-?[0-7]*4000|/[0-7]*4000|u=s)";
let LinuxDevices = union isfuzzy=true (
DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId
) ;
union isfuzzy=true
(
DeviceProcessEvents
| where DeviceId in (LinuxDevices) // limit to Linux hosts
| where FileName == "find"
| where ProcessCommandLine has "/usr/bin"
| where ProcessCommandLine matches regex cmdRegex
| project
TimeGenerated,
DeviceName,
DeviceId,
AccountDomain,
AccountName,
FullCommandLine = ProcessCommandLine,
InitiatingProcessCommandLine
),
(
Syslog
| where SyslogMessage has "find" and SyslogMessage has "/usr/bin"
| where SyslogMessage matches regex cmdRegex
| project
TimeGenerated,
DeviceName = Computer,
DeviceId = tostring(extract("deviceId=([0-9A-Fa-f-]+)", 1, _ResourceId)),
AccountDomain = "",
AccountName = User,
FullCommandLine = SyslogMessage,
InitiatingProcessCommandLine = ""
)
| order by TimeGenerated desc | pass | 2 | 54.22s | 0.0399 |
| o3-mini-high | sh -c "find /usr/bin -perm -4000" | DeviceProcessEvents
| where InitiatingProcessCommandLine has "find"
and InitiatingProcessCommandLine has "/usr/bin"
and (InitiatingProcessCommandLine contains "4000" or InitiatingProcessCommandLine contains "setuid")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc | pass | 1 | 62.28s | 0.0111 |
| o3-mini-low | sh -c "find /usr/bin -perm -4000" | DeviceProcessEvents | where InitiatingProcessCommandLine has "find" and InitiatingProcessCommandLine has "/usr/bin" | where InitiatingProcessCommandLine has "-perm" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | sort by TimeGenerated desc | pass | 1 | 27.02s | 0.0151 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0493 |
| o4-mini-low | find /usr/bin -perm -4000 | DeviceProcessEvents
| join kind=inner (
DeviceInfo
| where OSPlatform =~ "Linux"
| distinct DeviceId
) on DeviceId
// Look for the 'find' binary and arguments scanning /usr/bin for setuid files
| where FileName == "find"
| where ProcessCommandLine contains "/usr/bin"
| where ProcessCommandLine contains "-perm"
| where ProcessCommandLine contains "4000"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine
| sort by TimeGenerated desc | pass | 1 | 36.63s | 0.0092 |