Query Details
Near Real Time NRT Custom Defender XDR Detection Isolation For Windows Whatsapp Security Risk
Query
// Near real-time (NRT) custom DefenderXDR detection & isolation for Windows Whatsapp security risk // https://www.linkedin.com/posts/activity-7222989513491460096-7M9Y/ Trigger & isolate device: DeviceFileEvents | where ActionType == "FileCreated" | where InitiatingProcessFileName contains "WhatsApp.exe" | where FileName endswith ".pyz" or FileName endswith ".pyzw" or FileName endswith ".php"
Explanation
This query is designed to detect and respond to potential security risks related to WhatsApp on Windows devices in near real-time. Specifically, it looks for the creation of certain types of files by the WhatsApp application and triggers an isolation action on the device if such files are found. Here's a breakdown of what the query does:
- Data Source: It looks at events related to file activities on devices (
DeviceFileEvents). - Action Type: It filters these events to only include those where a file has been created (
ActionType == "FileCreated"). - Process Filter: It further narrows down the events to those where the file creation was initiated by the WhatsApp application (
InitiatingProcessFileName contains "WhatsApp.exe"). - File Type Filter: Finally, it checks if the created file has a specific extension, namely
.pyz,.pyzw, or.php.
If all these conditions are met, the device is flagged for isolation to prevent potential security threats.
Details
Steven Lim
Released: August 5, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEvents
Operators
==containsendswithor