Rule : Detection of Suspicious File Events Involving DevTunnels
Dev Tunnel File Events
Query
DeviceFileEvents
| where FolderPath has "DevTunnels"
//exclude Dell Display Manager | where InitiatingProcessFileName != "DellDisplayManager.exe"About this query
Explanation
This query is designed to detect suspicious file activities in folders named "DevTunnels," which are used in Visual Studio for secure remote connections. The goal is to identify potential unauthorized or malicious operations within these folders, which could indicate an attempt to establish or maintain unauthorized access to the system.
The query works by:
- Monitoring file events (
DeviceFileEvents) where the folder path includes "DevTunnels." - Excluding known legitimate software, specifically Dell Display Manager 2, to avoid false positives.
In simple terms, this query helps in identifying unusual file activities in "DevTunnels" folders, which might be used by attackers for malicious purposes, while ignoring activities from trusted software.
Details

Ali Hussein
Released: September 9, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFolderPathDevTunnelsDellDisplayManagerInitiatingProcessFileName
Operators
has!=