In the first post, we asked the question every SOC is going to be asking soon: did the human do that did the AI or did the human tell the AI to do it? We argued that EDR is the right place to answer it, and laid out a five-bucket attribution model.
This is where we run the trace. The model is implemented as six KQL queries against Defender Advanced Hunting, sharing a common preamble that defines lookup lists, identifies high-confidence Cowork “seeds,” walks the process tree, and brackets out AI activity windows for mediated-attribution joins. We’ll go through each query in order — what it does, why the joins are shaped the way they are, where the weights come from, and what to tune before pointing it at production.
Attribution Model Refresher
| Bucket | Score | Meaning |
| Direct AI — local | 90–100 | claude.exe itself or an obvious agentic seed performed the action |
| Direct AI — network | 80–100 | AI process talked to AI vendor or M365 directly |
| AI-mediated | 50–79 | Non-AI process (Explorer, Word, Chrome) acted on a Claude-touched file in the same session, close in time |
| Weak / review | 30–49 | Some signals but insufficient to attribute confidently |
| Background | <30 | Updaters, session 0, telemetry — suppressed |
The scoring rubric
The model is additive. Every query collects signals and assigns points; the total is capped at 100, run through a noise suppressor, and bucketed. Here’s the full rubric.
Tier 1 — Direct AI seed evidence (cmdline / process)
| Signal | Score |
FileName == claude.exe |
+35 |
InitiatingProcessVersionInfoCompanyName == Anthropic |
+30 |
Install path under \WindowsApps\Claude_ or \Program Files\Anthropic\ |
+15 |
cmdline has mcp__cowork__ |
+35 |
cmdline has mcp__scheduled-tasks__ |
+30 |
cmdline has mcp__computer-use / computerUse |
+25 |
cmdline has cowork-artifact / cowork-file / operon-artifact |
+20 |
cmdline has local-agent-mode-sessions / skills-plugin / ccdPlugins |
+15 |
cmdline has --permission-mode bypassPermissions or --allow-dangerously-skip-permissions |
+25 |
cmdline has explicit Read(//c/Users/ / Edit(//c/Users/ / --add-dir |
+15 |
cmdline has Documents\Claude\Scheduled |
+15 |
cmdline has --replay-user-messages |
+10 |
Tier 2 — Process lineage (descendants of a seed))
| Hop depth from seed | Score |
| Hop 0 (seed itself) | +40 |
| Hop 1 (direct child) | +25 |
| Hop 2 (grandchild) | +15 |
| Hop 3 (great-grandchild) | +8 |
Tier 3 — Temporal proximity to a seed
| Window | Score |
| Within 5 min of seed | +20 |
| Within 15 min | +12 |
| Within 45 min | +5 |
Tier 4 — AI-mediated heuristics (the GUI computer-use case)
| Signal | Score |
| Same file path that Claude read/edited within 30 min | +25 |
Same SID and same SessionId<.code> as an active Claude session |
+15 |
Same InitiatingProcessUniqueId ties file activity to network |
+20 |
Folder path matches a --add-dir / Read(//... / Edit(//... scope from seed cmdline |
+15 |
Tier 5 — Network corroboration
| Signal | Score |
Destination is AI vendor (anthropic.com, claude.ai, api.anthropic.com) |
+35 |
Same InitiatingProcessUniqueId did file activity AND network |
+20 |
| Network burst within 5 min of AI-driven file open/td> | +15 |
| Process startup → many connections within 10 sec (fan-out) | +10 |
Tier 6 — Indirect / weird worker hints
| Signal | Score |
vmwp.exe with parent vmcompute.exe and folder matches seed scope |
+20 |
ntoskrnl.exe rename/move during active AI window |
+10 |
Tier 7 — Suspicious child behavior (PowerShell-specific)
| Signal | Score |
PowerShell launched in Claude lineage with -enc / -encodedcommand |
+30 |
PowerShell with iex / invoke-expression |
+20 |
PowerShell with downloadstring / invoke-webrequest / invoke-restmethod |
+20 |
PowerShell with -w hidden / -windowstyle hidden |
+15 |
PowerShell with -nop / -noprofile / -noninteractive |
+10 |
Noise suppressors (negative scores)
| Signal | Score |
Actor process is on NoiseProcs list (officeclicktorun.exe, officesvcmgr.exe, updater.exe, svchost.exe, mpdlpservice.exe, backgroundtaskhost.exe, onedrive.exe) |
-60 |
SessionId == 0 (system session, not interactive) |
-50 |
Generic telemetry destinations (events.data.microsoft.com, gvt2.com) without AI/file correlation |
-20 |
ActionType is NamedPipeEvent or DpapiAccessed and no other AI signal present |
-15 |
Final classification
RawScore = sum(all tiers) + sum(noise suppressors) Score = clamp(RawScore, 0, 100) Attribution = case( Score >= 90, "Direct AI — local", Score >= 80 and HasNetworkSignal, "Direct AI — network", Score >= 50, "AI-mediated", Score >= 30, "Weak / review", "Background" ) |
A few notes on the design choices. The Tier 1 weights are tuned so that any single strong signal, claude.exe plus an MCP cmdline keyword, for example, is enough to reach a “Direct AI” verdict on its own. That keeps the most obvious cases easy. The mediated tiers are deliberately weaker so that a coincidence (a human happens to open the same file Claude read 20 minutes ago) doesn’t get auto-labeled as AI activity. And the noise suppressors are aggressive, -60 for known noisy processes and -50 for session 0, because in our testing the false positive rate without them was ugly.
The queries
The model is implemented as a set of KQL queries against Defender Advanced Hunting. They share a common preamble that defines all the lookup lists, identifies “seeds” (high-confidence Cowork processes), walks the process tree, and brackets out AI activity windows. Paste the preamble at the top of each query.
Shared preamble — paste at the top of every query
Query 1 — Direct AI seed detection
This is the simplest of the queries and the entry point for any investigation. It surfaces clear Cowork-attributable activity and is your “is AI even running on this host” question, answered.
Query 2 — Process tree visualization (0–3 hops from seed)
Use this when you need to see exactly what a Cowork session spawned. This is the query you run after Query 1 lights up, it gives you the full picture of children, grandchildren, and great-grandchildren, with the seed cmdline carried along for context.
Query 3 — Score file events with full attribution
This is the operational workhorse. It scores every file event (read, write, create, move) and outputs an attribution category. This is the query you’d schedule, alert on the high-scoring rows, and feed into the rest of your investigation tooling.
Query 4 — Score process executions
Same scoring philosophy as Query 3, but applied to DeviceProcessEvents. This catches AI-driven app opens, shell invocations, and suspicious child processes, the place where you find PowerShell launched by Claude with -enc and start asking pointed questions.
Query 5 — Network corroboration with destination categorization
Adds the “Direct AI - network” verdict and supports “AI-mediated network” attribution. Useful for spotting data leaving the host through an AI-driven Word or Edge session that talks to a vendor cloud right after Claude has been at the wheel.
Query 6 — Unified timeline (the SOC view)
Combines file, process, and network attributions into one chronological view. This is what an analyst opens during an investigation to answer the only question that really matters: what did the AI do, in order?
Operational notes
When to trust each bucket
- Direct AI - local / network is high enough confidence to alert, log, or auto-tag in your SOAR. Worth surfacing to the SOC immediately.
- AI-mediated should not auto-alert; surface it during investigations. This is the bucket where you say “the user appears to have used Cowork to do X.”
- Weak / review stays in a queue. It’s useful for tuning the model but shouldn’t notify anyone.
- Background is suppressed.
Tuning before production
A few things to fix before you point this at your tenant in anger.
- Replace the folder-scope matching keywords (
Documents\Claude\Scheduled, etc.) with whatever business folders matter in your environment and are configured for Cowork to use. - Confirm the Cowork cmdline keywords are still current. Anthropic ships new MCP servers and feature flags, and this list will drift over time. Re-baseline it quarterly against fresh telemetry.
- Validate that
InitiatingProcessUniqueIdis populated in your tenant. If it isn’t, fall back toInitiatingProcessIdplusInitiatingProcessCreationTimeas a composite key — PID alone is unsafe. - Move the cmdline keywords, install paths, and publishers to a Sentinel watchlist if you have it. Updates shouldn’t require query edits.
- If you rely on DNS-only network telemetry, add a
DnsConnectionInspectedhost extraction. The current network query handles SNI and RemoteUrl but not DNS-only environments.
Known limitations
Defender alone cannot always definitively prove “this was AI, not a human” for GUI-driven actions. The mediated-activity scoring is probabilistic, not deterministic. A real human could open a file Claude previously read, in the same session, within 30 minutes, and the model will (correctly) grade that as “AI-mediated” rather than “Direct AI.” That’s not a bug; that’s the model being honest.
A few other things to be aware of. Multiple concurrent AI sessions on one host can confuse the temporal join; if you see this, key the joins on SeedProcUid instead of just DeviceId + SeedTime. Cowork running inside WSL2 or Hyper-V will show up as vmwp.exe activity, which the model gives partial credit (+20) for, but you’ll need to enable WSL guest telemetry collection to see what’s actually happening inside the VM. And of course this is Claude-specific, the same approach works for OpenClaw, and others, but the seed signals (process names, cmdline keywords, vendor domains) are different and need their own list.
Wrap-Up
The above queries are designed to help you better understand what is happening in your environment right now. While these AI solutions can be really help for productivity and efficiency, the have opened up an Action Provenance problem, as AI takes on the persona of an individual and starts performing tasks on their behalf.
More logging, and understanding will be required to help with attribution in the future, but we can’t wait, and this blog series is designed to help you get started right now on a problem you may not have known was just introduced into your environment!
As always, if you need assistance SRA is here to help!
Greg Stachura
Greg focuses on Incident Response and the Cyber Security Operations Center. Greg has experience managing SIEM, as well as orchestration and automations platforms. He also has extensive background in Incident Response playbook development, forensics and log analysis. Prior to joining Security Risk Advisors, Greg worked extensively in the financial, healthcare and education sectors.
Alex Ioannidis
Alexandra focuses on EDR engineering and detection rule creation, specifically for SentinelOne, Microsoft Defender, and CrowdStrike. Alexandra is also a threat hunt lead, developing and overseeing threat hunts for multiple clients.
Alexandra is a graduate of Rochester Institute of Technology, holding a degree in Computing Security with a minor in Networking & Systems Administration.
Alexandra is also CySA+ certified.