Query Details
Same Infected Files Detected In Multiple Devices
Query
**Find devices where multiple files were executed and they were detected as infected** **Description:** This query helped me to identify devices where users are executing multiple infected files from the same device and contact them before it antivirus cannot respond to a specific new threat. The fileNames of the infected files are grouped which helps to see what type of files are using. 🕷 ``` DeviceEvents | where ActionType contains "antivirusdetection" | summarize ['FileNames']=make_set(FileName), total= count() by SHA1,SHA256, DeviceName, ActionType | where total > 2 | sort by total ```
Explanation
This query is designed to identify devices where users have executed multiple infected files. Here's a simplified summary:
- Filter Events: It starts by filtering device events to only include those related to antivirus detections.
- Group and Count: It then groups these events by the file's SHA1, SHA256 hash, device name, and action type, while also creating a list of unique file names and counting the total number of detections.
- Filter for Multiple Infections: The query further filters to include only those devices where more than two infected files were detected.
- Sort Results: Finally, it sorts the results by the total number of detections.
In essence, this query helps to quickly identify devices with multiple antivirus detections, allowing for proactive measures to be taken before the antivirus software potentially misses a new threat.
Details
Sergio Albea
Released: July 4, 2024
Tables
DeviceEvents
Keywords
Devices
Operators
containssummarizemake_setcountbywheresort by