Query Details
MDE Antivirus Detections By Compromised Device
Query
# Find the DFE Antivirus events on compromised devices. FileInfo is stored in JSON format.
----
### Defender For Endpoint
```
let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceName
```
### Sentinel
```
let CompromisedDevices = dynamic (["laptop1", "server2"]);
let SearchWindow = 48h; //Customizable h = hours, d = days
DeviceEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
| where ActionType == "AntivirusDetection"
| extend FileInfo = pack_dictionary("FileName", FileName, "FileLocation", FolderPath, "SHA1", SHA1, "SHA256", SHA256, "MD5", MD5)
| summarize TotalDetections = count(), MaliciousFiles = make_set(FileInfo) by DeviceName
```
Explanation
The query is searching for DFE Antivirus events on compromised devices. It looks for events within a specified time window and filters for devices that are listed as compromised. It then further filters for events with the ActionType "AntivirusDetection". The query extends the results by creating a FileInfo object with details about the detected file, such as the file name, location, and hash values. Finally, it summarizes the total number of detections and creates a set of malicious files for each device.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceEvents
Keywords
DFE,Antivirus,Devices,FileInfo,JSON
Operators
|letdynamic=DeviceEventswhereTimestamp>ago()DeviceNamehas_anyActionType=="AntivirusDetection"extendFileInfopack_dictionary"FileName"FileName"FileLocation"FolderPath"SHA1"SHA1"SHA256"SHA256"MD5"MD5summarizeTotalDetectionscount()MaliciousFilesmake_setby