Forum Discussion

William2450's avatar
William2450
Copper Contributor
Mar 28, 2024

KQL Query Help - Identify all devices without Sysmon running

I am working on a query to highlight devices within the environment that do not sysmon.exe running on them. There are several hundreds of devices in the environment and all of these should have sysmo...
William2450's avatar
William2450
Copper Contributor
Mar 29, 2024

rahuljindal Thanks for your response and suggestion. Modifying the query as suggested below shows. Any suggestions on which kql commands I can use to make the comparisons against all enrolled devices? I am quite new to KQL so learning as much as I can.

 

DeviceProcessEvents
| where FileName == "Sysmon.exe" or FileName == "Sysmon64.exe"
| project DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine

rahuljindal's avatar
rahuljindal
Bronze Contributor
Mar 29, 2024
Does this command give you any results? If yes, then export it and extract the devices names. Then pull the list of all the enrolled devices in Defender. You can do that using kql or just pull it directly from devices under asset management. Now with both the lists exported, you can do a vlookup and filter out the devices that were missing in the first list from the kql. Everything is manual and not really elegant way, but it should atleast get you started until you work out the kql.
  • William2450's avatar
    William2450
    Copper Contributor
    Mar 30, 2024

    rahuljindal Thanks for you response, I should have mentioned earlier that I am trying to set this up so it generates an alert anytime a device without the Sysmon service is observed.

     

    The command gives a result of devices with the Sysmon service. Any suggestions or ideas on how to do the compression with all enrolled devices using KQL is welcome.