Query Details
MDE Device Control
Query
# Defender for Endpoint - Device Control ## Query Information ### Description Use the below queries to get Defender for Endpoint - Device Control related events #### References - [Microsoft Defender for Endpoint Device Control Device Installation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-device-control-device-installation?view=o365-worldwide#frequently-asked-questions) - [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide) - [Device Control Printer Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/printer-protection?view=o365-worldwide) Source: Microsoft documentation ### Microsoft 365 Defender Events triggered by Device Installation policies ```kql DeviceEvents | where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" | extend parsed=parse_json(AdditionalFields) | extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaInstanceId = tostring(parsed.DeviceInstanceId) | extend MediaDeviceId = tostring(parsed.MatchingDeviceId) | project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields | order by Timestamp desc ``` Check whether the Device installation policy has been deployed to the target machine, event only when modification happens ```kql DeviceRegistryEvents | where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\" | order by Timestamp desc ``` RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement ```kql DeviceEvents | where ActionType == "RemovableStoragePolicyTriggered" | extend parsed=parse_json(AdditionalFields) | extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) | extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) | extend MediaBusType = tostring(parsed.BusType) | extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaClassName = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId) | extend MediaInstanceId = tostring(parsed.DeviceInstanceId) | extend MediaName = tostring(parsed.MediaName) | extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) | extend MediaProductId = tostring(parsed.ProductId) | extend MediaVendorId = tostring(parsed.VendorId) | extend MediaSerialNumber = tostring(parsed.SerialNumber) |project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize | order by Timestamp desc ``` Information of the evidence file ```kql DeviceEvents | where ActionType contains "RemovableStorageFileEvent" | extend parsed=parse_json(AdditionalFields) | extend Policy = tostring(parsed.Policy) | extend PolicyRuleId = tostring(parsed.PolicyRuleId) | extend MediaClassName = tostring(parsed.ClassName) | extend MediaInstanceId = tostring(parsed.InstanceId) | extend MediaName = tostring(parsed.MediaName) | extend MediaProductId = tostring(parsed.ProductId) | extend MediaVendorId = tostring(parsed.VendorId) | extend MediaSerialNumber = tostring(parsed.SerialNumber) | extend FileInformationOperation = tostring(parsed.DuplicatedOperation) | extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) | project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields | order by Timestamp desc ``` Show printing blocked by the Device Control Printer Protection policy ```kql DeviceEvents | where ActionType == 'PrintJobBlocked' | extend parsed=parse_json(AdditionalFields) | extend PrintedFile=tostring(parsed.JobOrDocumentName) | extend PrintPortName=tostring(parsed.PortName) | extend PrinterName=tostring(parsed.PrinterName) | extend Policy=tostring(parsed.RestrictionReason) | project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName, Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields | order by Timestamp desc ``` Find the USB Printer VID/PID ```kql DeviceEvents | where ActionType == "PnpDeviceConnected" | extend parsed=parse_json(AdditionalFields) | extend DeviceDescription = tostring(parsed.DeviceDescription) | extend PrinterDeviceId = tostring(parsed.DeviceId) | extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&") | extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '') | extend VID_PID = replace_string(VID_PID, 'PID_', '') | extend ClassId = tostring(parsed.ClassId) | extend VendorIds = tostring(parsed.VendorIds) | where DeviceDescription == 'USB Printing Support' | project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed | order by Timestamp desc ```
Explanation
The query is used to retrieve different types of events related to Defender for Endpoint - Device Control.
-
The first query retrieves events triggered by Device Installation policies, such as when a device is blocked or allowed. It includes information about the device, such as its class GUID, instance ID, and device ID.
-
The second query checks whether the Device installation policy has been deployed to the target machine by looking at registry events.
-
The third query retrieves events triggered by removable storage policy enforcement, including information about the access, verdict, bus type, class GUID, device ID, and more.
-
The fourth query provides information about evidence files related to removable storage events, including the policy, policy rule ID, class name, instance ID, and file information.
-
The fifth query shows events where printing is blocked by the Device Control Printer Protection policy. It includes details about the printed file, printer name, and policy restriction reason.
-
The sixth query is used to find the Vendor ID (VID) and Product ID (PID) of USB printers connected to the device. It includes information about the device description, class ID, and vendor IDs.
These queries can be used to monitor and analyze events related to device control in Defender for Endpoint.
Details
Alex Verboon
Released: October 5, 2023
Tables
DeviceEventsDeviceRegistryEvents
Keywords
Devices,Intune,User
Operators
|==orextendparse_jsontostringprojectorder bywherecontainssplitreplace_stringstrcat