Query Details
Device Detect First Time Teamviewer Usage
Query
//Detects Teamviewer being used for the first time on a device
//Data connector required for this query - M365 Defender - Device* tables
//Build a list of known devices using Teamviewer over the last 60 days
let knowndevices=
DeviceNetworkEvents
| where TimeGenerated > ago(60d) and TimeGenerated < ago(1d)
| project DeviceName, InitiatingProcessFileName, ActionType, LocalIPType, RemoteIPType
| where InitiatingProcessFileName contains "teamviewer.exe"
| where ActionType == "ConnectionSuccess"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| distinct DeviceName;
//Find new devices in the last day not in the known list
DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName contains "teamviewer.exe"
| where ActionType == "ConnectionSuccess"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where DeviceName !in (knowndevices)
| distinct DeviceName
Explanation
This query detects when Teamviewer is used for the first time on a device. It builds a list of known devices that have used Teamviewer in the last 60 days. Then, it identifies new devices that have used Teamviewer in the last day but are not in the known list. The query focuses on specific criteria such as the process file name, action type, local IP type, and remote IP type to filter the data.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
Devices,DeviceNetworkEvents,TimeGenerated,DeviceName,InitiatingProcessFileName,ActionType,LocalIPType,RemoteIPType,ConnectionSuccess,Private,Public,knowndevices
Operators
whereprojectcontains==distinctin