Query Details
Service Creation RA Tools
Query
Tags:
Query:
DeviceEvents
| where ActionType == 'ServiceInstalled'
| extend parsed = parse_json(AdditionalFields)
| where parsed.ServiceName has_any ("screenconnect","Radmin", "Splashtop", "Atera", "AmmyyAdmin", "jumpcloud", "GoToAssist", "anydesk")
References:
Explanation
This query is looking for events on devices where a new service has been installed. Specifically, it filters for services that match certain remote access or management tools. Here's a breakdown:
- DeviceEvents: Start with the table that contains events from devices.
- where ActionType == 'ServiceInstalled': Filter to only include events where a service was installed.
- extend parsed = parse_json(AdditionalFields): Convert the 'AdditionalFields' column from JSON format to a more usable format.
- where parsed.ServiceName has_any ("screenconnect","Radmin", "Splashtop", "Atera", "AmmyyAdmin", "jumpcloud", "GoToAssist", "anydesk"): Further filter to include only those events where the service name matches one of the specified remote access or management tools.
In simple terms, this query identifies instances where specific remote access or management services were installed on devices.
Details
Ali Hussein
Released: September 13, 2023
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
DeviceEvents|where=='ServiceInstalled'|extendparse_jsonAdditionalFields|wherehas_any("screenconnect","Radmin""Splashtop""Atera""AmmyyAdmin""jumpcloud""GoToAssist""anydesk")