Question Analysis
On a Windows device, PowerShell was used to collect a snapshot of running processes. Identify the exact cmdlet that was executed.
3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-Process
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-Process | DeviceProcessEvents
| where FileName == "powershell.exe"
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "Get-Process"
| distinct ProcessCommandLine | Correct | 1 | 32.65s | 0.0034 |
| gpt-35-turbo | Invoke-AtomicTest | DeviceProcessEvents | where ActionType == 'ProcessCreated' and ProcessCommandLine contains 'Get-Process' | Incorrect | 1 | 2.00s | 0.0047 |
| gpt-4-turbo-2024-04-09 | Get-Process | DeviceProcessEvents
| where FileName == 'powershell.exe' and (ProcessCommandLine contains 'Get-Process' or ProcessCommandLine contains 'ps')
| project DeviceId, DeviceName, ProcessCommandLine, TimeGenerated
| limit 50 | Correct | 1 | 12.28s | 0.1460 |
| gpt-4.1 | Get-Process | DeviceProcessEvents
| where FileName in~ ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine has_any ("Get-Process", "gps", "ps ")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 5.09s | 0.0127 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0487 |
| gpt-4.1-mini | Get-Process | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Get-Process", "Get-CimInstance", "Get-WmiObject", "Get-Process -Name", "Get-Process |", "Get-CimInstance Win32_Process", "Get-WmiObject Win32_Process")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| summarize count() by ProcessCommandLine
| top 10 by count_ desc | Correct | 1 | 12.41s | 0.0025 |
| gpt-4.1-nano | Get-Process | DeviceProcessEvents
| where ProcessCommandLine contains "powershell" or FileName endswith ".exe"
| where ProcessCommandLine contains "Get-Process"
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| take 10 | Correct | 2 | 6.96s | 0.0007 |
| gpt-4o | Get-NetTCPConnection | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "powershell" and InitiatingProcessCommandLine contains "Get-Process"
| project DeviceId, DeviceName, InitiatingProcessCommandLine, TimeGenerated | Incorrect | 1 | 3.12s | 0.0144 |
| grok-3-beta | Get-Process | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where InitiatingProcessCommandLine contains 'Get-Process'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
| order by Timestamp desc | Correct | 1 | 8.78s | 0.0208 |
| grok-3-mini-beta | Get-Process | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-Process'
| project ProcessCommandLine, Timestamp
| distinct ProcessCommandLine | Correct | 1 | 11.84s | 0.0016 |
| o1-high | Get-Process | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("Get-Process", "Get-WmiObject", "Get-CimInstance")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath
| order by TimeGenerated desc | Correct | 1 | 59.20s | 0.2979 |
| o1-low | Get-Process | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where Timestamp >= ago(30d)
| where InitiatingProcessCommandLine contains "powershell" or ProcessCommandLine contains "powershell"
| where InitiatingProcessCommandLine has "get-process" or ProcessCommandLine has "get-process"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 25.71s | 0.2066 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0410 |
| o3-mini-low | Get-Process | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Get-Process"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 56.71s | 0.0126 |
| o4-mini-high | Get-Process | DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "Get-Process"
or ProcessCommandLine contains "Get-WmiObject"
or ProcessCommandLine contains "Get-CimInstance"
or ProcessCommandLine contains "tasklist"
| extend Cmdlet = extract(@"(?i)\b(Get-(?:Process|WmiObject|CimInstance))\b", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, Cmdlet, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 44.50s | 0.0165 |
| o4-mini-low | Get-Process | DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("Get-Process", "gps")
| extend ScriptBlockText = tostring(AdditionalFields.ScriptBlockText)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ScriptBlockText
| order by TimeGenerated desc | Correct | 1 | 29.42s | 0.0078 |