Query Details
Rare Connections Made By Office
Query
# Hunt for the 20 most unusual connections made by Office. ---- ### Defender For Endpoint ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey contains ConnectionsMadeByOfficeRegKey | extend Connection = split(RegistryKey, ConnectionsMadeByOfficeRegKey, 1) | extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey) | summarize count(), InitatingDevices = make_set(DeviceName) by Domain | top 20 by count_ asc ``` ### Sentinel ``` let ConnectionsMadeByOfficeRegKey = @'\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache'; DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey contains ConnectionsMadeByOfficeRegKey | extend Connection = split(RegistryKey, ConnectionsMadeByOfficeRegKey, 1) | extend Domain = extract(@"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+", 0, RegistryKey) | summarize count(), InitatingDevices = make_set(DeviceName) by Domain | top 20 by count_ asc ```
Explanation
This query is searching for the 20 most unusual connections made by Office. It looks for registry value sets related to Office connections, extracts the domain from the registry key, and then summarizes the count of connections and the devices that initiated them by domain. Finally, it returns the top 20 domains with the least number of connections.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceRegistryEvents
Keywords
Keywords:DeviceRegistryEvents,ActionType,RegistryValueSet,RegistryKey,ConnectionsMadeByOfficeRegKey,split,extend,extract,summarize,count,InitatingDevices,Domain,top
Operators
whereextendsplitextractsummarizemake_settop