Query Details
ISO Virtual DVD ROM File Mount
Query
DeviceEvents | where ActionType == @"UsbDriveMounted" | where parse_json(AdditionalFields)["ProductName"] == 'Virtual DVD-ROM ' //Mounting of virtual Dvd ROM i.e. ISO files - useful for hunting Rougeplanet. //Block mounting of ISO files in device Control Policies.
Explanation
This query is designed to filter and identify specific events related to USB drives on devices. Here's a simple breakdown:
-
Data Source: The query is looking at a dataset called
DeviceEvents, which contains various events related to device activities. -
Filter by Action: It filters the events to only include those where the action type is "UsbDriveMounted". This means it is specifically interested in events where a USB drive has been mounted.
-
Filter by Product Name: It further narrows down these events by checking if the
ProductNamein theAdditionalFieldsis "Virtual DVD-ROM". This indicates that the mounted USB drive is actually a virtual DVD-ROM, typically used for mounting ISO files. -
Purpose: The comment in the query suggests that this is useful for identifying activities related to "Rougeplanet", which might be a code name for a specific threat or activity of interest.
-
Security Implication: The comment also advises blocking the mounting of ISO files through device control policies as a security measure.
In summary, this query is used to detect when virtual DVD-ROMs (ISO files) are mounted on devices, which could be part of a security investigation or threat hunting process.
Details
Jay Kerai
Released: June 9, 2026
Tables
Keywords
Operators