Query Details
LLM Hunting In A MDE Environment
Query
// LLM Hunting in a MDE Environment let LLM_ModelName = ExposureGraphNodes | where NodeLabel == "baseModel" | project parse_json(NodeProperties)["rawData"]["aiModelMetadata"]["modelName"]; DeviceFileEvents | where Timestamp > ago (30d) | where InitiatingProcessVersionInfoFileDescription has_any (LLM_ModelName) or InitiatingProcessFolderPath has_any (LLM_ModelName) or InitiatingProcessFileName has_any (LLM_ModelName)
Explanation
This query is designed to identify events related to specific language models in a Microsoft Defender for Endpoint (MDE) environment over the past 30 days. Here's a simple breakdown:
-
Identify Language Models:
- The query first looks at a dataset called
ExposureGraphNodesto find nodes labeled as "baseModel". - It extracts the model names from these nodes by parsing the JSON data to get the
modelNamefromaiModelMetadata.
- The query first looks at a dataset called
-
Search for Related File Events:
- It then examines
DeviceFileEventsthat have occurred in the last 30 days. - It filters these events to find any where the description, folder path, or file name of the initiating process matches any of the identified language model names.
- It then examines
In summary, the query is hunting for file events that are associated with specific language models by checking various attributes of the initiating process against the model names found in the environment.
Details
Steven Lim
Released: February 11, 2025
Tables
ExposureGraphNodesDeviceFileEvents
Keywords
ExposureGraphNodesDeviceFileEventsTimestampInitiatingProcessVersionInfoFileDescriptionInitiatingProcessFolderPathInitiatingProcessFileName
Operators
let|where==projectparse_json[ ]has_anyor>ago