KQL Search

Query Details

HomeAI ToolsDevice Query

Musci Folder Execution

Query

Tags:

Query:
DeviceFileEvents
|  where ActionType == @"FileCreated" and FolderPath contains "music" and FolderPath contains "users" and FileName endswith ".exe"
and  InitiatingProcessAccountName != @"system" and InitiatingProcessVersionInfoCompanyName != @"Parallels International GmbH" 
| invoke FileProfile()
| where GlobalPrevalence <= 10  
References:

Explanation

This query is looking for specific file creation events on devices. Here's a simple summary:

  1. Source Table: It starts by looking at the DeviceFileEvents table, which logs file-related activities on devices.
  2. File Creation: It filters for events where a file was created (ActionType == "FileCreated").
  3. Folder Path: It further narrows down to files created in folders that include both "music" and "users" in their path.
  4. File Type: It only considers files with names ending in ".exe" (executable files).
  5. Exclusions: It excludes events where the file creation was initiated by the "system" account or by a process from the company "Parallels International GmbH".
  6. File Profile: It uses the FileProfile() function to get additional information about the files.
  7. Global Prevalence: Finally, it filters to include only those files that have a global prevalence of 10 or less, meaning these files are rare and not commonly found across devices.

In essence, this query identifies rare executable files created in specific user music directories, excluding those created by system processes or Parallels software.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 11, 2023

Tables

DeviceFileEvents

Keywords

Devices

Operators

==andcontainsendswith!=invoke<=

Actions