Forum Discussion

DKTimGjerlufsen's avatar
DKTimGjerlufsen
Copper Contributor
Apr 03, 2020

WDATP Alert detection query

Hi Community   I really need some help trying to build this query correct in KQL. The Query is reporting users who has created files onto a drive that is not the local C:\ I try to detect and aler...
Joe Stocker's avatar
Joe Stocker
Bronze Contributor
May 17, 2020

DKTimGjerlufsen I was able to create a detection rule based on this KQL Query:

 

DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = Timestamp, DeviceId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| parse FolderPath with DriveLetter '\\' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| where (Timestamp - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
| where DistinctFilesCopied > 10
| mv-expand Events
| extend Timestamp = Events.Timestamp, FileName = Events.FileName, AccountName = Events.AccountName, ReportId = Events.ReportId, AdditionalDriveProperties = Events.AdditionalDriveProperties

Resources