Query Details
Detecting Unauthorized RMM Instances In Your MDE Environment
Query
// Detecting Unauthorized RMM Instances in Your MDE Environment
let SanctionRMM = dynamic("bomgarcloud.com"); // E.g Approved RMM - whitelisting
let RMMList=externaldata(URI: string, RMMTool: string)
[h'https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv'];
let RMMUrl =
RMMList
| project URI;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"ConnectionSuccess"
| where RemoteUrl has_any(RMMUrl)
| where not (RemoteUrl has_any(SanctionRMM))
| summarize arg_max(TimeGenerated, *) by DeviceId
Explanation
This query is designed to detect unauthorized Remote Monitoring and Management (RMM) instances in a Microsoft Defender for Endpoint (MDE) environment. Here's a simplified breakdown of what the query does:
-
Define Approved RMM: It sets up a list of approved RMM domains, in this case, "bomgarcloud.com", which is considered sanctioned or whitelisted.
-
Load RMM List: It retrieves a list of known RMM tool URLs from an external CSV file hosted on GitHub. This list contains various RMM tool network indicators.
-
Filter Network Events: It examines network events from devices within the last hour (
TimeGenerated > ago(1h)) where a successful connection (ActionType == "ConnectionSuccess") was made to any URL listed in the RMM tool list. -
Exclude Approved RMM: It filters out any connections to the approved RMM domain(s) specified earlier.
-
Summarize Results: Finally, it summarizes the data to show the most recent network event for each device (
arg_max(TimeGenerated, *) by DeviceId) that connected to an unauthorized RMM URL.
In essence, this query helps identify devices that have connected to potentially unauthorized RMM tools, excluding those that are explicitly approved.
Details
Steven Lim
Released: March 16, 2025
Tables
Keywords
Operators