KQL Search

Query Details

HomeAI ToolsDevice Query

Antivirus Domains MDE Device Network Events

Query

//Additional AV Providers can turn off Defender. Ensure that Defender is running in "EDR in block mode". For brevity, softwarepackers have been scoped instead of each individual AV URL. These should be safe to unsanction as users/admins should be grabbing applications from official sources
let AntivirusIOCs = externaldata(type: string, IndicatorValue: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Antivirus%20IOCs.csv"] with (format="csv", ignoreFirstRecord=True);
let DomainList = AntivirusIOCs
| project IndicatorValue;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemoteUrl in~(DomainList )
| extend VT_domain = iff(isnotempty(RemoteUrl),strcat(@"https://www.virustotal.com/gui/domain/",RemoteUrl),RemoteUrl)
| summarize count() by RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountUpn

Explanation

This query is designed to monitor network events related to antivirus software interactions on devices. Here's a simplified breakdown:

  1. Data Source: It pulls a list of antivirus-related indicators (IOCs) from an external CSV file hosted on GitHub. This file contains domains associated with antivirus software.

  2. Domain Extraction: It extracts the domain names from this list for further analysis.

  3. Event Filtering: It examines device network events from the past 90 days to identify any events where the remote URL matches one of the domains from the extracted list.

  4. VirusTotal Link: For each matching event, it creates a link to the VirusTotal website for the domain, which can be used for further investigation.

  5. Summary: Finally, it summarizes the data by counting occurrences of each domain, along with the associated process file name and the user account that initiated the process.

In essence, the query helps ensure that Microsoft Defender is operating in "EDR in block mode" by checking interactions with known antivirus domains, which should generally be safe if applications are sourced from official channels.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 5, 2025

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

letexternaldatawithproject|where>agoin~extendiffisnotemptystrcatsummarizeby

Actions