Query Details

Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.

MDE Antivirus Detections By Compromised Device

Query

let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceName

About this query

Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.


Defender XDR

let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceName

Sentinel

Explanation

This query is designed to identify antivirus detection events on specific compromised devices within a specified time frame. Here's a simplified breakdown:

  1. Compromised Devices: The query focuses on two devices, "laptop1" and "server2", which are considered compromised.

  2. Time Frame: It looks at events that occurred within the last 48 hours, but this duration can be adjusted as needed.

  3. Data Source: The query searches through DeviceEvents to find relevant data.

  4. Event Filtering: It filters the events to only include those where the action type is "AntivirusDetection", indicating that the antivirus software detected something.

  5. File Information: For each detection event, it gathers information about the file involved, including its name, location, and various hash values (SHA1, SHA256, MD5). This information is stored in a JSON-like format.

  6. Summarization: The query then summarizes the data by counting the total number of detection events and compiling a list of unique malicious files for each device.

In essence, this query helps identify and summarize antivirus detection events on specified compromised devices over a recent time period, providing details about the malicious files detected.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DevicesAntivirusFileInfoDetections

Operators

letdynamicagohas_any==extendpack_dictionarysummarizecountmake_setby

Actions

GitHub