Question Analysis
On a Linux endpoint, process events reveal a chain of group‐enumeration utilities executed by a single session. Which utility was used to query the system’s group database?
952931a4-af0b-4335-bbbe-73c8c5b327ae
Question ID
8/16
Models Correct
1
Valid Answer
50%
Success Rate
Reference Answer
Human-validated correct answer for this question
getent
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | getent | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains " getent group" or ProcessCommandLine contains " /etc/group"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, LogonId, InitiatingProcessSessionId, CreatedProcessSessionId | Correct | 1 | 13.44s | 0.0071 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0113 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2382 |
| gpt-4.1 | getent | DeviceProcessEvents
| where FileName in~ ("getent", "cat", "groups", "id")
| where ProcessCommandLine has_any ("group", "/etc/group")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessSessionId
| summarize UtilitiesUsed=make_set(FileName) by InitiatingProcessSessionId, DeviceName, AccountName | Correct | 1 | 5.41s | 0.0112 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0858 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-4.1-nano | getent group | DeviceProcessEvents
| where FileName in ('getent', 'groups', 'id')
| where ProcessCommandLine contains 'group'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, InitiatingProcessId, InitiatingProcessParentId | Correct | 2 | 3.63s | 0.0008 |
| gpt-4o | id | let linuxDevices = DeviceInfo
| where OSPlatform == 'Linux'
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine has_any ('id', 'getent', 'groups') or FileName has_any ('id', 'getent', 'groups')
| summarize count() by FileName | Incorrect | 2 | 5.02s | 0.0273 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0925 |
| grok-3-mini-beta | getent | let LinuxDevices = DeviceInfo | where OSPlatform == 'Linux' | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (LinuxDevices)
| where (FileName == 'groups' or ProcessCommandLine contains 'getent group')
| summarize distinct_utilities = make_set(FileName) by InitiatingProcessSessionId
| project InitiatingProcessSessionId, distinct_utilities | Correct | 1 | 16.86s | 0.0015 |
| o1-high | getent | DeviceProcessEvents
| where FileName in~ ("getent", "cat", "id", "groups")
| where ProcessCommandLine has_any ("group", "/etc/group")
| project TimeGenerated, DeviceName, InitiatingProcessSessionId, FileName, FolderPath, ProcessCommandLine
| order by TimeGenerated asc | Correct | 3 | 103.00s | 0.4782 |
| o1-low | getent | DeviceInfo
| where OSPlatform == "Linux"
| join kind=inner (
DeviceProcessEvents
| where ProcessCommandLine has_any("getent group", "/etc/group")
) on DeviceId
| project TimeGenerated, DeviceName, InitiatingProcessSessionId, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 33.94s | 0.4710 |
| o3-mini-high | getent | DeviceProcessEvents
| where ProcessCommandLine contains "getent" and ProcessCommandLine contains "group"
| project TimeGenerated, DeviceName, InitiatingProcessSessionId, FileName, ProcessCommandLine, ProcessCreationTime, FolderPath | Correct | 1 | 41.09s | 0.0141 |
| o3-mini-low | getent | DeviceProcessEvents
| where ProcessCommandLine has "group"
| summarize ProcessChain = make_set(FileName) by InitiatingProcessSessionId
| where array_index_of(ProcessChain, "getent") >= 0
| project InitiatingProcessSessionId, ProcessChain
// The resulting output shows sessions (InitiatingProcessSessionId) where the chain of utilities includes 'getent', which is used to query the system's group database. | Correct | 1 | 31.69s | 0.0118 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0487 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0388 |