KQL Search

Query Details

HomeAI ToolsDevice Query

Device ATP Tampering Detection

Query

//This query detects attempts to tamper with ATP settings
//Correlates tampering events with the most recent logged-in user
let ExcludedAccounts = pack_array(//include any system users such as the ATP user account that might be used in the background to this array);
let TamperInfo = DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == 'TamperingAttempt' 
| where RegistryValueName startswith "Enable" or RegistryValueName startswith "Disable"
| extend ParsedFields=parse_json(AdditionalFields)
| project EventTime=Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueChangeAttempt=ParsedFields.TamperingAttemptedValue, Action=ParsedFields.TamperingAction, Status=ParsedFields.Status;
let UserLogons = DeviceLogonEvents
| where Timestamp > ago(1d)
| where AccountName !in (ExcludedAccounts)
| where ActionType == 'LogonSuccess'
| where AccountDomain !hassuffix ".local"
| project UserLogonTime=Timestamp, AccountDomain, AccountName, DeviceName, DeviceId, ActionType;
let TamperStatus = TamperInfo
| join kind=inner (UserLogons) on DeviceName
| extend TimeDiff = abs(datetime_diff('minute', EventTime, UserLogonTime))
| where TimeDiff <= 1440  //to check for an tampering event during the same day of the login
| sort by RegistryValueName, UserLogonTime desc
| summarize arg_min(TimeDiff, *) by RegistryValueName, EventTime
| project RegistryValueName, TimeDiff, EventTime, UserLogonTime, AccountName, DeviceName, DeviceId, RegistryKey, RegistryValueChangeAttempt, Status;
TamperStatus
| sort by EventTime asc

Explanation

This query is designed to identify and analyze attempts to tamper with Advanced Threat Protection (ATP) settings on devices. Here's a simple breakdown of what the query does:

  1. Excluded Accounts: It defines a list of system accounts that should be ignored in the analysis, such as accounts used by ATP itself.

  2. Tampering Events: It extracts events from the DeviceEvents table that occurred in the last day (ago(1d)) and are classified as 'TamperingAttempt'. It focuses on registry changes that start with "Enable" or "Disable". It collects details about these events, including the time, device name, registry key, attempted change, action taken, and status.

  3. User Logons: It gathers successful logon events from the DeviceLogonEvents table within the last day, excluding logons by the excluded accounts and those from domains ending in ".local". It records the logon time, account details, and device information.

  4. Correlating Events: It correlates tampering events with the most recent user logon on the same device. It calculates the time difference between the tampering event and the logon event, ensuring they occurred within the same day (up to 1440 minutes apart).

  5. Result Compilation: It organizes the results by the registry value name and sorts them by the logon time in descending order. It then summarizes the earliest time difference for each registry value name and compiles relevant details such as account name, device information, and the attempted registry change.

  6. Final Output: The final output is sorted by the event time in ascending order, providing a chronological view of tampering attempts and associated user logons.

Overall, this query helps in identifying potential unauthorized changes to ATP settings by correlating them with user activities on the devices.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

DeviceEventsDeviceLogonEvents

Keywords

Devices

Operators

letpack_arraywhereagostartswithorextendparse_jsonprojectjoinkind=inneronabsdatetime_diffsummarizearg_minbysortascdesc

Actions