Query Details
Potentially Unsanctioned Application Usage
Query
// This query looks for application names that may be unwanted let DisallowedProcessNames = externaldata (DisallowedProcess: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/DisallowedProcessList.txt'] with (format=txt); DeviceProcessEvents | where TimeGenerated > ago(90d) | where FileName in~(DisallowedProcessNames) or InitiatingProcessFileName has_any(DisallowedProcessNames)// or InitiatingProcessCommandLine has_any(DisallowedProcessNames) |extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1) | summarize count() by FileName, InitiatingProcessFileName,ProcessVersionInfoCompanyName//VT_hash, ProcessCommandLine
Explanation
This query is designed to identify potentially unwanted application names by checking against a list of disallowed process names. Here's a simple breakdown of what it does:
-
Load Disallowed Process Names: It retrieves a list of disallowed process names from an external source, specifically a text file hosted on GitHub.
-
Filter Device Process Events: It examines device process events that have occurred in the last 90 days.
-
Match Against Disallowed Names: It filters these events to find instances where the file name or the initiating process file name matches any of the disallowed process names.
-
Generate VirusTotal Links: For each matching event, it creates a link to VirusTotal using the SHA1 hash, if available, to facilitate further investigation.
-
Summarize Results: Finally, it summarizes the results by counting occurrences of each file name and initiating process file name, along with the company name associated with the process version information.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators