Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.
MDE Antivirus Detections By Compromised Device
Query
let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceNameAbout this query
Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.
Defender XDR
let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceName
Sentinel
Explanation
This query is designed to identify antivirus detection events on specific compromised devices within a specified time frame. Here's a simplified breakdown:
-
Compromised Devices: The query focuses on two devices, "laptop1" and "server2", which are considered compromised.
-
Time Frame: It looks at events that occurred within the last 48 hours, but this duration can be adjusted as needed.
-
Data Source: The query searches through
DeviceEventsto find relevant data. -
Event Filtering: It filters the events to only include those where the action type is "AntivirusDetection", indicating that the antivirus software detected something.
-
File Information: For each detection event, it gathers information about the file involved, including its name, location, and various hash values (SHA1, SHA256, MD5). This information is stored in a JSON-like format.
-
Summarization: The query then summarizes the data by counting the total number of detection events and compiling a list of unique malicious files for each device.
In essence, this query helps identify and summarize antivirus detection events on specified compromised devices over a recent time period, providing details about the malicious files detected.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators