KQL Search

Query Details

HomeAI ToolsDevice Query

MDE WSL

Query

# Defender for Endpoint - WSL Host and Version

## Query Information

### Description

Use the below query to identify the Windows Host and the WSL version of a Defender for endpoint enabled WSL system.

#### References

### Microsoft 365 Defender

```kql
DeviceInfo
| where OSPlatform == 'Linux' and isempty(HostDeviceId) != true
| summarize arg_max(TimeGenerated,*) by DeviceId
| project TimeGenerated, DeviceName, OSPlatform, DeviceId, HostDeviceId
| join (DeviceInfo
| where OSPlatform contains "Windows"
| summarize arg_max(TimeGenerated,*) by DeviceId
| extend HostOSPlatform = OSPlatform
| extend HostDeviceName = DeviceName
| extend HostDeviceId = DeviceId)
on $left. HostDeviceId == $right. HostDeviceId
| project TimeGenerated, DeviceName, OSPlatform, DeviceId, HostDeviceId, HostDeviceName, HostOSPlatform
| join (DeviceProcessEvents
| where InitiatingProcessFileName == 'wsl.exe'
| summarize arg_max(TimeGenerated,*) by DeviceId
| project InitiatingProcessVersionInfoProductVersion, InitiatingProcessVersionInfoFileDescription, InitiatingProcessFileName, DeviceId)
on $left.HostDeviceId == $right.DeviceId
```

Explanation

This query helps to find the Windows Host and WSL version of a system with Defender for Endpoint enabled. It looks at the device information, including the OS platform, device name, and device ID. It then joins this information with process events to identify the WSL version running on the system.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 25, 2024

Tables

DeviceInfoDeviceProcessEvents

Keywords

DeviceInfo,OSPlatform,HostDeviceId,DeviceId,TimeGenerated,DeviceName,HostOSPlatform,HostDeviceName,DeviceProcessEvents,InitiatingProcessFileName,InitiatingProcessVersionInfoProductVersion,InitiatingProcessVersionInfoFileDescription.

Operators

whereisemptysummarizearg_maxbyprojectjoinextendcontainsonInitiatingProcessFileNameDeviceProcessEventswsl.exeDeviceIdTimeGeneratedDeviceNameOSPlatformHostDeviceIdHostOSPlatformHostDeviceNameDeviceProcessEventsInitiatingProcessVersionInfoProductVersionInitiatingProcessVersionInfoFileDescription.

Actions