KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Malware Detectedin ISO

Query

//When Defender for Endpoint detects malware in an ISO file retrieve the ISO file name, which directory it was found in and associated file hashes

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)

SecurityAlert
| where ProviderName == "MDATP"
| where AlertName == "Malware was detected in an iso disc image file"
| mv-expand todynamic(Entities)
| extend Hashes = Entities.FileHashes
| mv-expand Hashes
| extend ['ISO File Name'] = tostring(Entities.Name)
| extend Directory = tostring(Entities.Directory)
| extend ['Hash Type'] = tostring(Hashes.Algorithm)
| extend Hash = tostring(Hashes.Value)
| where isnotempty(['ISO File Name'])
| project
    TimeGenerated,
    CompromisedEntity,
    ['ISO File Name'],
    Directory,
    ['Hash Type'],
    Hash

Explanation

This query retrieves information about ISO files that have been detected with malware in Defender for Endpoint. It includes the ISO file name, the directory it was found in, and the associated file hashes. The query uses the Security Alert data connector and filters for alerts from MDATP with the specific alert name. It expands and extracts the necessary information from the Entities and Hashes fields, and then projects the relevant fields for analysis.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlert

Keywords

SecurityAlert,ProviderName,MDATP,AlertName,Malware,ISOfile,ISOFileName,Directory,FileHashes,Entities,Hashes,Algorithm,Value,TimeGenerated,CompromisedEntity,HashType,Hash

Operators

mv-expandextendwhereisnotemptyproject

Actions