KQL Search

Query Details

HomeAI ToolsDevice Query

Device Detect Macro Usage

Query

//Lookup Identity info table to find the most recent device a user has logged onto and any macro usage from that device and return identity info

//Data connector required for this query - M365 Defender - Device* tables
//Data connector required for this query - Microsoft Sentinel UEBA

let id=
    IdentityInfo
    | where TimeGenerated > ago (21d)
    | summarize arg_max(TimeGenerated, *) by AccountName
    | extend LoggedOnUser = AccountName
    | project LoggedOnUser, AccountUPN, JobTitle, EmployeeId, Country, City
    | join kind=inner (
        DeviceInfo
        | where TimeGenerated > ago (21d)
        | summarize arg_max(TimeGenerated, *) by DeviceName
        | extend LoggedOnUser = tostring(LoggedOnUsers[0].UserName)
        )
        on LoggedOnUser
    | project LoggedOnUser, AccountUPN, JobTitle, Country, DeviceName, EmployeeId;
DeviceProcessEvents
| join kind=inner id on DeviceName
| where TimeGenerated > ago (21d)
| where InitiatingProcessFileName == "EXCEL.EXE"
| where InitiatingProcessCommandLine contains ".xlsm" or InitiatingProcessCommandLine contains ".xltm"
| extend Process = InitiatingProcessFileName
| extend Command = InitiatingProcessCommandLine
| project
    TimeGenerated,
    DeviceName,
    LoggedOnUser,
    AccountUPN,
    Process,
    Command,
    JobTitle,
    EmployeeId,
    SHA1,
    SHA256

Explanation

This query looks for the most recent device a user has logged onto and any macro usage from that device. It retrieves identity information such as the user's name, email, job title, employee ID, country, and city. It uses data connectors for M365 Defender - Device* tables and Microsoft Sentinel UEBA. The query joins the IdentityInfo and DeviceInfo tables based on the logged-on user. It then joins the DeviceProcessEvents table based on the device name. It filters the results to only include events within the last 21 days and where the initiating process is "EXCEL.EXE" and the command line contains either ".xlsm" or ".xltm". The final result includes the timestamp, device name, logged-on user, identity information, process name, command line, and SHA1/SHA256 hashes.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoDeviceInfoDeviceProcessEvents

Keywords

IdentityInfo,AccountName,LoggedOnUser,AccountUPN,JobTitle,EmployeeId,Country,City,DeviceInfo,DeviceName,LoggedOnUsers,DeviceProcessEvents,TimeGenerated,InitiatingProcessFileName,InitiatingProcessCommandLine,Process,Command,SHA1,SHA256

Operators

whereagosummarizearg_maxbyextendprojectjoinkindontostringcontains

Actions