Query Details

List Malicious Activities

MDE List Malicious Activities

Query

let CompromisedDevice = "laptop1";
let SearchWindow = 48h; //Customizable h = hours, d = days
// Collect all ASR triggers from the compromised device
let ASREvents = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType startswith "ASR"
     | project TimeGenerated,ActionType, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, AccountDomain, AccountName;
// Collect all SmartScreen events from the compromised device
let SmartScreenEvents = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType in ('SmartScreenAppWarning', 'SmartScreenUrlWarning')
     | extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning", RemoteUrl, FileName), ReasonForTrigger = parse_json(AdditionalFields).Experience
     | project TimeGenerated, DeviceName, ActionType, SmartScreenTrigger, ReasonForTrigger, InitiatingProcessCommandLine;
// List all AV detections from the compromised device
let AntivirusDetections = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType == "AntivirusDetection"
     | extend ThreatName = tostring(parse_json(AdditionalFields).ThreatName)
     | project TimeGenerated, DeviceName, ActionType, ThreatName, FileName, FolderPath, SHA1, InitiatingProcessAccountSid;
// List all tampering actions from a compromised device
let TamperingAttempts = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType == "TamperingAttempt"
     | extend TamperingAction = tostring(parse_json(AdditionalFields).TamperingAction), Status = tostring(parse_json(AdditionalFields).Status), Target = tostring(parse_json(AdditionalFields).Target)
     | project Timestamp, DeviceName, ActionType, TamperingAction, Status, Target, InitiatingProcessCommandLine;
// List all exploit guard events
let ExploitGuardEvents = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType startswith "ExploitGuard"
     | project TimeGenerated, DeviceName, ActionType, FileName, FolderPath, RemoteUrl, InitiatingProcessCommandLine;
// List all amsi events
let AMSIEvents = DeviceEvents
     | where TimeGenerated > ago(SearchWindow)
     | where DeviceName == CompromisedDevice
     | where ActionType contains "Amsi"
     | extend Description = tostring(parse_json(AdditionalFields).Description)
     | project TimeGenerated, DeviceName, ActionType, Description, FolderPath;
// Combine all results into one output
(union isfuzzy=true
     (ASREvents),
     (SmartScreenEvents),
     (AntivirusDetections),
     (TamperingAttempts),
     (ExploitGuardEvents),
     (AMSIEvents)
     | sort by TimeGenerated
)

About this query

Explanation

This query is designed to help you quickly identify and summarize various malicious activities that might have occurred on a compromised device. Here's a simple breakdown of what the query does:

  1. Device Specification: You need to specify the name of the compromised device you want to investigate. In this example, it's set to "laptop1".

  2. Time Frame: The query looks at events from the past 48 hours, but you can adjust this time window as needed.

  3. Event Collection: The query gathers different types of security-related events from the specified device:

    • ASR Triggers: These are events related to Attack Surface Reduction rules.
    • SmartScreen Events: These include warnings from Microsoft Defender SmartScreen, which helps protect against phishing and malware.
    • Antivirus Detections: These are events where the antivirus detected potential threats.
    • Tampering Detections: These are attempts to tamper with security settings.
    • Exploit Guard Triggers: These are events related to the Exploit Guard, which helps protect against various types of exploits.
    • AMSI Events: These involve the Antimalware Scan Interface, which helps detect malicious scripts.
  4. Data Processing: For each type of event, the query filters the data to include only those events that occurred on the specified device within the given time frame. It then extracts relevant details like timestamps, file names, actions taken, and more.

  5. Combining Results: Finally, the query combines all these different event types into a single, unified output, sorted by the time the events occurred. This allows you to see a comprehensive timeline of potentially malicious activities on the device.

By running this query, you can get a quick overview of suspicious activities on a compromised device, which can help in further investigation and response.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: September 29, 2025

Tables

DeviceEvents

Keywords

Devices

Operators

letwherestartswithprojectinextendiffparse_jsontostringcontainsunionisfuzzysortago

Actions

GitHub