Query Details
USB Connectors
Query
# List Connected USB Devices ## Query Information #### Description This query lists the statistics of all the connected USB devices and their description. This overview gives you an indication of what USB devices are connected to workstations/servers in your network. This can be used to create specific detections on USB connections. You can filter on the description by adding: ```KQL | where DeviceDescription has "ios ``` #### References - https://learn.microsoft.com/en-us/powershell/module/pnpdevice/?view=windowsserver2022-ps - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152 ## Defender For Endpoint ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" | extend PNPInfo = parse_json(AdditionalFields) | extend ClassName = tostring(PNPInfo.ClassName), DeviceDescription = tostring(PNPInfo.DeviceDescription), VendorIds = tostring(PNPInfo.VendorIds), DeviceId = tostring(PNPInfo.DeviceId) | extend PnPType = tostring(split(DeviceId, @"\", 0)[0]) | where PnPType == "USB" | project-reorder ClassName, PnPType, DeviceDescription, VendorIds, DeviceId | summarize TotalEvents = count() by DeviceDescription | sort by TotalEvents ``` ## Sentinel ```KQL DeviceEvents | where ActionType == "PnpDeviceConnected" | extend PNPInfo = parse_json(AdditionalFields) | extend ClassName = tostring(PNPInfo.ClassName), DeviceDescription = tostring(PNPInfo.DeviceDescription), VendorIds = tostring(PNPInfo.VendorIds), DeviceId = tostring(PNPInfo.DeviceId) | extend PnPType = tostring(split(DeviceId, @"\", 0)[0]) | where PnPType == "USB" | project-reorder ClassName, PnPType, DeviceDescription, VendorIds, DeviceId | summarize TotalEvents = count() by DeviceDescription | sort by TotalEvents ```
Explanation
This query retrieves the statistics of all connected USB devices and their descriptions. It provides an overview of the USB devices connected to workstations/servers in the network. The query can be used to create specific detections for USB connections. The query filters the results based on the description and only includes USB devices. It then presents the results by the total number of events for each device description.
Details
Bert-Jan Pals
Released: October 27, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,PnpDeviceConnected,AdditionalFields,ClassName,DeviceDescription,VendorIds,DeviceId,PnPType,USB,TotalEvents
Operators
whereextendtostringsplitproject-reordersummarizecountbysort