KQL Search

Query Details

HomeAI ToolsDevice Query

Non Familiar DHCP Domains Configured In Our Devices

Query

**Detecting non-familiar DHCPDomains configured in our devices**

**Description**:As far as my users are managing sensible or critical information, I am not really happy when their local device configuration are modified and their network rely on airports, hotels, or the nearest coffee shop's Wi-Fi.
This Query review if the TCPIP register is modified and it DHCP Domain is managed by a non-trusted/known network. It would help me to restrict their access to enterprise data until I am 100% sure they are using a VPN or back to enterprise DHCP Domain.

```
DeviceRegistryEvents
| where RegistryKey contains "tcpip"
| where RegistryValueName contains "dhcpdomain"
// to reduce the number of false positive, I moved out localIPs, results with "." to reduce the number of local home routers and specific country
| where RegistryValueData !contains "192." and RegistryValueData contains "." and RegistryValueData !endswith ".es"
```

Explanation

This query is designed to detect if the DHCP domain configuration on a device has been changed to an untrusted or unfamiliar network, such as those found in public places like airports, hotels, or coffee shops. Here's a simplified breakdown:

  1. Source of Data: The query looks at events related to changes in the device's registry, specifically focusing on TCP/IP settings.
  2. Filtering Criteria:
    • It checks if the registry key contains "tcpip".
    • It further filters to see if the registry value name contains "dhcpdomain".
  3. Exclusions:
    • It excludes IP addresses that start with "192.", which are commonly used for local networks.
    • It includes only those registry values that contain a period (".") to filter out local home routers.
    • It excludes domains ending with ".es" to avoid specific country domains.

The goal is to identify devices that might be connecting to untrusted networks and restrict their access to enterprise data until they are confirmed to be using a secure connection, like a VPN, or are back on the enterprise network.

Details

Sergio Albea profile picture

Sergio Albea

Released: July 4, 2024

Tables

DeviceRegistryEvents

Keywords

DevicesUsersNetworkConfigurationSecurity

Operators

contains!containsendswith!endswith

Actions