Device Visualize Most Common ISO Files

//Visualize the most common ISO files being mounted on your devices //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceFileEvents | where TimeGenerated > ago(30d) | where ActionType == "FileCreated" //When an ISO file is mounted a .iso.lnk file is created, take that name and trim the .lnk out to retrieve the ISO name | where FileName endswith "iso.lnk" | extend ['ISO FileName'] = trim(@".lnk",FileName) //Summarize and visualize the files | summarize Count=count() by ['ISO FileName'] | top 20 by Count | render barchart with (title="Most common ISO files being mounted") //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceFileEvents | where Timestamp > ago(30d) | where ActionType == "FileCreated" //When an ISO file is mounted a .iso.lnk file is created, take that name and trim the .lnk out to retrieve the ISO name | where FileName endswith "iso.lnk" | extend ['ISO FileName'] = trim(@".lnk",FileName) //Summarize and visualize the files | summarize Count=count() by ['ISO FileName'] | top 20 by Count | render columnchart

Explanation

This query is used to visualize the most common ISO files being mounted on devices. It retrieves data from the DeviceFileEvents table in the M365 Defender data connector or the Advanced Hunting license. It filters for file creation actions and ISO files by checking for files ending with "iso.lnk". It trims the ".lnk" extension from the file name to retrieve the ISO name. It then summarizes the count of each ISO file and visualizes the top 20 files in a bar or column chart.

Details

Matt Zorich

Released: June 17, 2022

Tables

DeviceFileEvents

Keywords

Keywords:DeviceFileEvents,TimeGenerated,ActionType,FileName,endswith,extend,trim,summarize,Count,top,render,barchart,title,Timestamp,ago,columnchart

Operators

KQL Search