Query Details
Find Rmm Processes
Query
DeviceProcessEvents
| where FileName has_any (
"acticalRMM",
"Action1",
"AeroAdmin",
"AgentMon.exe",
"Ammyy",
"AnyDesk",
"Atera",
"AteraAgent.exe",
"AteraRC.exe",
"Auvik.Agent.exe",
"Auvik.Engine.exe",
"awesome-rat",
"ccme_sm.exe",
"chaos",
"Chrome Remote Desktop",
"ConnectWise",
"DameWare Mini Remote Control",
"Dameware",
"Deployment tools",
"Domotz.exe",
"DomotzClient.exe",
"eHorus",
"Fixme",
"FlawedAmmyy",
"friendspeak",
"Get2",
"getandgo",
"GetASRSettings.exe",
"GoToAssist",
"Intelliadmin",
"ir_agent.exe",
"klnagent.exe",
"konea.exe",
"kworking.exe",
"LogMeIn.exe",
"LogMeIn",
"LTAService.exe",
"LTClient.exe",
"LTSvcMon.exe",
"MeshCentral",
"mRemoteNG",
"NAPClt.exe",
"NetSupport",
"ngrok",
"NinjaRMM.exe",
"NinjaRMM",
"NinjaRMMAgent.exe",
"nssm",
"OCS Agent",
"PDQDeploy",
"Plink",
"Pulseway.TrayApp.exe",
"PulsewayService.exe",
"putty.exe",
"QuickAssist",
"BASupSrvc",
"BASupSrvcCnfg",
"Radmin",
"RealVNC",
"Remote Manipulator System",
"Remote Utilities",
"RemotePC",
"rustdesk",
"ScreenConnect.Client.exe",
"ScreenConnect.ClientService.exe",
"ScreenConnect.Service.exe",
"ScreenConnect.WindowsClient.exe",
"ScreenConnect",
"Splashtop",
"SupRemo",
"Syncro",
"tacticalrmm",
"TakeControlRDViewer.exe",
"Tanium",
"teamviewer.exe",
"TigerVNC",
"TightVNC",
"tmate",
"UltraViewer",
"VncClient.exe",
"VNCconnect",
"WAPT",
"Webex remote",
"winvnc.exe",
"ZA_Connect.exe",
"ZohoAssist"
)
| summarize count() by FileName
| sort by count_ desc
Explanation
This query is searching for device process events that have a file name matching any of the specified values. It then counts the occurrences of each file name and sorts them in descending order.
Details
Daniel Card
Released: September 5, 2023
Tables
DeviceProcessEvents
Keywords
Device,Process,Events
Operators
has_anywheresummarizecount()bysort by