KQL Search

Query Details

HomeAI ToolsDevice Query

Defender Antivirus Malware Detection List

Query

name : defender antivirus threat detection list
description : 
  - --- Microsoft Defender Antivirus ---
  - Case1 - Weekly malware detection names list 
  - Case2 - Weekly malware detection names & device list 
  - Case3 - Weekly malware detection name, device & file list
  - Case4 - combining information on the filename and malware family
table :
  - DeviceEvents
  - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide
query: |
  //Case1 - Weekly malware detection names & number list 
  DeviceEvents
  | where Timestamp > ago(7d)
  | where ActionType == "AntivirusDetection"
  | extend DetectionType =parse_json(AdditionalFields)
  | project Timestamp, DeviceId, DeviceName, ActionType, DetectionType.ReportSource, DetectionType.ThreatName
  | summarize ThreatNumber= count() by tostring(DetectionType_ThreatName)
  | sort by ThreatNumber desc 


  //Case2 - Weekly malware detection names & device list
  DeviceEvents
  | where Timestamp > ago(7d)
  | where ActionType == "AntivirusDetection"
  | extend DetectionType =parse_json(AdditionalFields)
  | summarize MalwareFamilyList = make_list(DetectionType.ThreatName) by DeviceName, DeviceId
  
  
  //Case3 - Weekly malware detection name, device & file list
   DeviceEvents
  | where Timestamp > ago(7d)
  | where ActionType == "AntivirusDetection" and isnotempty(FileName)
  | extend DetectionType =parse_json(AdditionalFields)
  | extend MalwareFamilyList = tostring(DetectionType.ThreatName)
  | summarize MalwareFile = make_list(FileName) by DeviceName, DeviceId, MalwareFamilyList
  
  //Case4 - combining information on the filename and malware family
   DeviceEvents
  | where Timestamp > ago(7d)
  | where ActionType == "AntivirusDetection"
  | extend DetectionType =parse_json(AdditionalFields)
  | summarize MalwareFamilyList = make_list(strcat(DetectionType.ThreatName, @"\", FileName)) by DeviceName, DeviceId
  | extend ThreatNumber = array_length(MalwareFamilyList)
  | project DeviceId, DeviceName, ThreatNumber, MalwareFamilyList

Explanation

The query is about retrieving information related to malware detection in Microsoft Defender Antivirus. It has four cases:

Case 1: Weekly list of malware detection names and the number of occurrences. Case 2: Weekly list of malware detection names and the devices where they were detected. Case 3: Weekly list of malware detection names, the devices where they were detected, and the files affected. Case 4: Combining information on the malware family and the filenames.

The query uses the DeviceEvents table and filters the results based on the timestamp and the ActionType "AntivirusDetection". It also parses additional fields and performs various operations like extending, summarizing, and sorting the data.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: March 16, 2023

Tables

DeviceEvents

Keywords

DeviceEvents,Timestamp,DeviceId,DeviceName,ActionType,DetectionType.ReportSource,DetectionType.ThreatName,AdditionalFields,MalwareFamilyList,FileName,ThreatNumber

Operators

toscalar()arg_max()count()mv-expandwhereextendparse_json()projectsummarizesort bymake_list()isnotempty()tostring()strcat()array_length()

Actions