Query Details
Device Detect Internalto External Teamviewer
Query
//Detects successful TeamViewer connections from internal to external IP addresses
//Data connector required for this query - M365 Defender - Device* tables or Advanced Hunting license
//If TeamViewer is a sanctioned app then you will get lots of hits.
//Works in both Microsoft Sentinel and Advanced Hunting
DeviceNetworkEvents
| where InitiatingProcessFileName contains "teamviewer.exe"
| where ActionType == "ConnectionSuccess"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
LocalIP,
RemoteIPExplanation
This query detects successful TeamViewer connections from internal to external IP addresses. It requires a data connector such as M365 Defender - Device* tables or an Advanced Hunting license. It works in both Microsoft Sentinel and Advanced Hunting. The query filters for events where the initiating process file name contains "teamviewer.exe", the action type is "ConnectionSuccess", the local IP type is "Private", and the remote IP type is "Public". The query then projects the time generated, device name, initiating process account name, initiating process file name, local IP, and remote IP.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,InitiatingProcessFileName,ActionType,LocalIPType,RemoteIPType,TimeGenerated,DeviceName,InitiatingProcessAccountName,LocalIP,RemoteIP
Operators
| wherecontains==project