Query Details
MDE Detecting Quick Assist Usage
Query
// MDE: Detecting Quick Assist Usage // https://www.linkedin.com/posts/activity-7196570896965287936-jut0/ // SecOps can configure below custom KQL Defender detection to monitor Quick Assist usage in the organization DeviceNetworkEvents | where ActionType == "HttpConnectionInspected" | where RemotePort == "443" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost == "remoteassistance.support.services.microsoft.com:443"
Explanation
This KQL (Kusto Query Language) query is designed to detect the usage of Quick Assist within an organization by monitoring network events. Here's a simple breakdown of what it does:
- Source Table: It looks at the
DeviceNetworkEventstable, which logs network activities on devices. - Filter by Action Type: It filters the events to only include those where the action type is
HttpConnectionInspected, meaning HTTP connections that have been inspected. - Filter by Port: It further narrows down the events to those where the remote port is
443, which is commonly used for secure HTTPS connections. - Extract Additional Information: It extracts additional connection information from the
AdditionalFieldscolumn and stores it in a new column calledConnectInfo. - Extract Host Information: From the
ConnectInfo, it extracts thehostfield and stores it in a new column calledHttpHost. - Filter by Host: Finally, it filters the events to only include those where the
HttpHostisremoteassistance.support.services.microsoft.com:443, which is the host used by Quick Assist.
In summary, this query helps security operations teams monitor and detect when Quick Assist is being used in their organization by looking for specific network connections to the Quick Assist service.
Details
Steven Lim
Released: August 2, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsHttpConnectionInspectedRemotePortAdditionalFieldsHttpHost
Operators
==|extendtodynamic