Question Analysis

On a Linux system, analyze the process logs for suspicious command line activity that includes a sequence of commands indicating a pipe-to-shell operation. Identify the tool that was used to execute this piped command, paying special attention to its use in downloading and running script content.

fca246a8-a585-4f28-a2df-6495973976a1

Question ID

2/16

Models Correct

Valid Answer

13%

Success Rate

Reference Answer

Human-validated correct answer for this question

bash

Model Performance Comparison

See how different AI models performed on this question

Model	Answer	KQL Query	Status	Attempts	Time	Cost
gemini-2.5-flash-preview-04-17	bash	DeviceProcessEvents \| where ActionType == "ProcessCreated" \| where ProcessCommandLine matches regex @".\\|\s(bash\|sh\|python\|pwsh)" \| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, ReportId	Correct	1	37.41s	0.0233
gpt-35-turbo	No answer provided	No query generated	Incorrect	5	0.00s	0.0118
gpt-4-turbo-2024-04-09	No answer provided	No query generated	Incorrect	5	0.00s	0.2314
gpt-4.1	curl	DeviceProcessEvents \| where ProcessCommandLine contains '\|' \| where ProcessCommandLine matches regex @"\\|\s*(sh\|bash\|zsh\|/bin/sh\|/bin/bash\|/bin/zsh)" \| extend download_tool = case(ProcessCommandLine has "curl", "curl", ProcessCommandLine has "wget", "wget", ProcessCommandLine has "python", "python", "other") \| extend script_url = extract("(https?://[^ \|;]+)", 1, ProcessCommandLine) \| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, download_tool, script_url, InitiatingProcessCommandLine, InitiatingProcessFileName, FolderPath	Incorrect	2	22.32s	0.0456
gpt-4.1-finetuned	python3	let whitelisted_tools = dynamic(["at", "batch", "bc", "bash", "curl", "ftp", "ksh", "mksh", "openssl", "php", "nc", "ncat", "netcat", "paste", "perl", "ps", "python2", "python3", "rpm", "sh", "sort", "ssh", "telnet", "timeout", "vi", "watch", "zsh"]); DeviceProcessEvents \| where ProcessCommandLine contains "\|" and ProcessCommandLine contains "%" \| extend pattern = extract(@"([a-zA-Z]+)\s\\|\s\%*", 1, ProcessCommandLine) \| where isnotnull(pattern) and pattern !in (whitelisted_tools) \| summarize count() by DeviceName, SHA256, ProcessCommandLine, pattern, AccountName \| sort by count_ desc \| extend AccountName = tostring(split(AccountName, "@", 0)[0]) \| extend UPNSuffix = tostring(split(AccountName, "@", 1)[1])	Incorrect	2	22.14s	0.0266
gpt-4.1-mini	No answer provided	No query generated	Incorrect	5	0.00s	0.0064
gpt-4.1-nano	unknown	DeviceProcessEvents \| where FileName in~ ('bash', 'sh', 'dash') \| where ProcessCommandLine contains '\| sh' or ProcessCommandLine contains '\| bash' or ProcessCommandLine contains '\|python' or ProcessCommandLine contains '\|curl' or ProcessCommandLine contains '\|wget' \| extend toolUsed = case( ProcessCommandLine contains '\| curl', 'curl', ProcessCommandLine contains '\| wget', 'wget', ProcessCommandLine contains '\| python', 'python', 'unknown') \| project ProcessId, ProcessCommandLine, toolUsed, InitiatingProcessFileName, InitiatingProcessCreationTime, DeviceName	Incorrect	1	3.76s	0.0010
gpt-4o	No answer provided	No query generated	Incorrect	5	0.00s	0.0653
grok-3-beta	curl	DeviceProcessEvents \| where ProcessCommandLine contains '\|' and ProcessCommandLine matches regex @'(sh\|bash\|zsh\|ksh\|tcsh\|dash)\s' \| where ProcessCommandLine contains 'curl' or ProcessCommandLine contains 'wget' or ProcessCommandLine contains 'http' \| join kind=inner ( DeviceInfo \| where OSPlatform == 'Linux' ) on DeviceId \| project DeviceName, FileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine \| order by ProcessCreationTime desc	Incorrect	2	24.25s	0.0759
grok-3-mini-beta	bash	DeviceInfo \| where OSPlatform == 'Linux' \| join kind=inner (DeviceProcessEvents) on DeviceId \| where ProcessCommandLine contains '\|' and (ProcessCommandLine contains 'curl' or ProcessCommandLine contains 'wget') and (ProcessCommandLine contains 'bash' or ProcessCommandLine contains 'sh') \| project TimeGenerated, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessFileName \| summarize arg_max(TimeGenerated, *) by DeviceId, ProcessCommandLine \| order by TimeGenerated desc	Correct	2	27.78s	0.0034
o1-high	curl	DeviceInfo \| where OSPlatform == "Linux" \| join kind=inner ( DeviceProcessEvents \| where ActionType == "ProcessCreated" \| where ProcessCommandLine has "\|" // check for pipe in command line \| where ProcessCommandLine has_any ("curl", "wget") // check for download tools \| where ProcessCommandLine has_any ("bash", "sh", "zsh", "python", "perl") // check for shell execution ) on DeviceId \| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath, FileName, SHA256, OSPlatform \| order by TimeGenerated desc	Incorrect	2	89.71s	0.7373
o1-low	curl	let LinuxDevices = DeviceInfo \| where OSPlatform == "Linux" \| distinct DeviceId; DeviceProcessEvents \| where DeviceId in (LinuxDevices) \| where tolower(ProcessCommandLine) has "\|" // searching for pipe \| where tolower(ProcessCommandLine) has_any ("bash", "sh") // searching for piping to a shell \| where tolower(ProcessCommandLine) has_any ("curl", "wget", "python", "nc") \| extend ToolUsed = extract(@"(curl\|wget\|python\|nc)", 1, tolower(ProcessCommandLine)) \| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ToolUsed, InitiatingProcessCommandLine \| order by TimeGenerated desc	Incorrect	1	29.60s	0.2759
o3-mini-high	curl	DeviceProcessEvents \| extend cmd = iif(isnotempty(ProcessCommandLine), ProcessCommandLine, InitiatingProcessCommandLine) \| where isnotempty(cmd) \| where tolower(cmd) matches regex ".(curl\|wget).\\\|\\s(sh\|bash)." \| extend downloadTool = tolower(extract("(?i)(curl\|wget)", 1, cmd)) \| project TimeGenerated, DeviceName, cmd, downloadTool \| sort by TimeGenerated desc	Incorrect	3	47.94s	0.0297
o3-mini-low	curl	DeviceProcessEvents \| where isnotempty(InitiatingProcessCommandLine) \| where InitiatingProcessCommandLine has "\|" and (InitiatingProcessCommandLine has "curl" or InitiatingProcessCommandLine has "wget") \| extend DownloadTool = case(InitiatingProcessCommandLine contains "curl", "curl", InitiatingProcessCommandLine contains "wget", "wget", "unknown") \| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, DownloadTool \| sort by TimeGenerated desc	Incorrect	1	23.41s	0.0106
o4-mini-high	curl	// Timerange is applied externally by the UI DeviceInfo \| where OSPlatform has "Linux" \| project DeviceId, OSPlatform \| join kind=inner ( DeviceProcessEvents // look for a pipeline to a shell with a download tool \| where ProcessCommandLine has "\|" \| where ProcessCommandLine matches regex @"(?i)\b(?:curl\|wget\|fetch\|perl\|python)\b.\\|\s(?:bash\|sh)\b" ) on DeviceId \| extend Downloader = extract(@"(?i)\b(curl\|wget\|fetch\|perl\|python)\b", 1, ProcessCommandLine), Shell = extract(@"(?i)\\|\s(bash\|sh)\b", 1, ProcessCommandLine), URL = extract(@"(?i)(?:curl\|wget\|fetch)\s+.?(https?://\S+)", 1, ProcessCommandLine) \| project TimeGenerated, DeviceName, OSPlatform, AccountName = InitiatingProcessAccountName, ProcessFileName = FileName, ProcessCommandLine, Downloader, Shell, URL \| sort by TimeGenerated desc	Incorrect	4	133.12s	0.0525
o4-mini-low	curl	let LinuxDevices = DeviceInfo \| where OSPlatform == "Linux" \| distinct DeviceId; DeviceProcessEvents \| where DeviceId in (LinuxDevices) // Note: the TimeGenerated filter is set via the external time range picker \| where ProcessCommandLine matches regex "(?i)\\b(?:curl\|wget\|fetch)\\b.\\\|\\s(?:bash\|sh\|zsh)\\b" \| extend DownloaderTool = tostring(extract("(?i)\\b(curl\|wget\|fetch)\\b", 1, ProcessCommandLine)), ShellUsed = tostring(extract("\\\|\\s*(bash\|sh\|zsh)\\b", 1, ProcessCommandLine)) \| project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, DownloaderTool, ShellUsed, ProcessCommandLine, InitiatingProcessFileName, ProcessId \| order by TimeGenerated desc	Incorrect	2	66.20s	0.0235