KQL Search

Query Details

HomeAI ToolsDevice Query

Lo L Drivers

Query

let LoLDrivers = materialize((externaldata(response: string) [@"https://www.loldrivers.io/api/drivers.csv"] with (format="txt"))
| extend data = parse_csv(response)
| extend ID = tostring(data[0]),
         Author = tostring(data[1]),
         Created = todatetime(data[2]),
         Command = tostring(data[3]),
         Description = tostring(data[4]),
         Usecase = tostring(data[5]),
         Category = tostring(data[6]),
         Privileges = tostring(data[7]),
         MitreID = tostring(data[8]),
         OperatingSystem = tostring(data[9]),
         Resources = tostring(data[10]),
         DriverDescription = tostring(data[11]),
         Person = tostring(data[12]),
         Handle = tostring(data[13]),
         Detection = tostring(data[14]),
         KnownMD5 = tostring(data[15]),
         KnownSHA1 = tostring(data[16]),
         KnownSHA256 = tostring(data[17]),
         KnownPublisher = tostring(data[18]),
         KnownPublishedDate = tostring(data[19]),
         KnownPublishedCompany = tostring(data[20]),
         KnownPublishedDescription = tostring(data[21]),
         Verified = tostring(data[22]),
         Tags = tostring(data[23])
| project-away response, ['data']
| where Tags != "Tags"); // get rid of header row
let SHA1Matches = LoLDrivers
| join hint.strategy=broadcast kind=inner (
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | where SHA1 != ""
    ) on $left.KnownSHA1 == $right.SHA1;
let SHA256Matches = LoLDrivers
| join hint.strategy=broadcast kind=inner (
    DeviceFileEvents
    | where ActionType == "FileCreated"
    | where SHA256 != ""
    | where SHA256 != "0000000000000000000000000000000000000000000000000000000000000000"
    ) on $left.KnownSHA256 == $right.SHA256;
union SHA1Matches, SHA256Matches
| distinct Timestamp, DeviceName, ActionType, FileName, Description=KnownPublishedDescription, Category, Verified, Resources, SHA1, SHA256, InitiatingProcessAccountName, FileOriginUrl, DeviceId, ReportId
| sort by Timestamp

Explanation

The query retrieves data from an external source (https://www.loldrivers.io/api/drivers.csv) and transforms it into a table called LoLDrivers. It then joins this table with another table called DeviceFileEvents based on matching SHA1 and SHA256 values. The resulting matches are combined and sorted to produce a final result table with selected columns.

Details

C.J. May profile picture

C.J. May

Released: May 16, 2023

Tables

LoLDriversDeviceFileEvents

Keywords

Devices,Intune,User

Operators

materializeexternaldatawithformatparse_csvextendtostringtodatetimeproject-awaywherejoinhint.strategykindon$left$rightuniondistinctsort by

Actions