Query Details
Device Network Events Suspicious Process Connection To Cloudfront Domain
Query
DeviceNetworkEvents
| where RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net" and (InitiatingProcessParentFileName has "msiexec.exe" or InitiatingProcessCommandLine has "/Install")
| project
TimeGenerated,
DeviceName,
LocalIP,
ActionType,
InitiatingProcessParentCreationTime,
InitiatingProcessParentFileName,
InitiatingProcessCreationTime,
InitiatingProcessAccountUpn,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
Protocol,
RemoteUrl,
RemoteIP,
RemotePort
Explanation
This query looks at DeviceNetworkEvents data and filters for events where the RemoteUrl matches a specific pattern and the InitiatingProcess is either msiexec.exe or has "/Install" in the command line. It then projects specific columns like TimeGenerated, DeviceName, LocalIP, ActionType, and more for further analysis.
Details
Jose Sebastián Canós
Released: March 18, 2024
Tables
DeviceNetworkEvents
Keywords
Device,Network,Events,RemoteUrl,InitiatingProcessParentFileName,InitiatingProcessCommandLine,TimeGenerated,DeviceName,LocalIP,ActionType,InitiatingProcessParentCreationTime,InitiatingProcessCreationTime,InitiatingProcessAccountUpn,InitiatingProcessFolderPath,Protocol,RemoteIP,RemotePort.
Operators
wherematches regexhasorproject