Home
%3CLINGO-SUB%20id%3D%22lingo-sub-824808%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824808%22%20slang%3D%22en-US%22%3E%3CP%3EQuestion%2C%3C%2FP%3E%3CP%3EI%20am%20not%20very%20proficient%20in%20this%20query%20language.%26nbsp%3B%20How%20would%20I%20modify%20the%20query%20to%20find%20exes%20that%20were%20launched%20from%20a%20usb%20drive%3F%26nbsp%3B%20I%20work%20for%20a%20school%20district%20and%20I%20am%20curious%20to%20see%20if%20students%20are%20able%20to%20launch%20programs%20that%20are%20not%20blocked%20by%20app%20locker.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824922%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824922%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20switch%20the%20file%20creation%20events%20with%20the%20process%20event%20table%20and%20have%20the%20initating%20process%20path%20starts%20with%20the%20same%20letter%20as%20the%20drive%20letter.%20Let%20me%20know%20if%20you%20managed%20to%20make%20it%20work-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EMiscEvents%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20EventTime%20%26gt%3B%20ago(1d)%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20ActionType%20%3D%3D%20%22UsbDriveMount%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20project%20USBMountTime%20%3D%20EventTime%2C%20MachineId%2C%20AdditionalFields%2C%20DriveLetter%20%3D%20tolower(tostring(todynamic(AdditionalFields).DriveLetter))%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20join%20(%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EProcessCreationEvents%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20EventTime%20%26gt%3B%20ago(1d)%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20where%20ActionType%20%3D%3D%20%22ProcessCreated%22%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20project%20FileName%2C%20MachineId%2C%20DriveLetter%20%3D%20substring(InitiatingProcessFolderPath%2C%200%2C2)%2C%20InitiatingProcessFolderPath%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Eon%20MachineId%2C%20DriveLetter%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824930%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824930%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20I%20will%20give%20it%20a%20go.%20I%20really%20appreciate%20your%20time%20and%20contributions!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826094%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826094%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Daniel%2C%20thanks%20for%20your%20post.%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20question%2C%20can%20we%20block%20any%20usb%20except%20a%20one%20usb%20type%3F%20for%20example%2C%20block%20any%20USB%20except%20a%20sandisk%20USB%20model%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826297%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826297%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399449%22%20target%3D%22_blank%22%3E%40MartinPablo%3C%2FA%3E-%20you%20can%20acheive%20that%20using%20group%20policy%20using%20device%20ID%20strings.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fcc731387(v%3Dws.10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2008-R2-and-2008%2Fcc731387(v%3Dws.10%3C%2FA%3E)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-835982%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-835982%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20require%20a%20specific%20Windows%20version%2C%20or%20is%20back%20ported%20to%20earlier%20versions%2C%20including%20LTSB%201607%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-874168%22%20slang%3D%22en-US%22%3ERe%3A%20Advanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-874168%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136891%22%20target%3D%22_blank%22%3E%40Marco%20Schiffner%3C%2FA%3E%26nbsp%3BThese%20events%20are%20available%20only%20for%20RS6%20machines.%20Backporting%20will%20be%20supported%20in%20the%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824152%22%20slang%3D%22en-US%22%3EAdvanced%20hunting%20updates%3A%20USB%20events%2C%20machine-level%20actions%2C%20and%20schema%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824152%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%2C%20hunters!%20I%E2%80%99d%20like%20to%20share%20some%20of%20the%20work%20we%E2%80%99ve%20recently%20completed%20for%20advanced%20hunting%20on%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20(Microsoft%20Defender%20ATP).%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EWe%E2%80%99ve%20added%20some%20exciting%20new%20events%20as%20well%20as%20new%20options%20for%20automated%20response%20actions%20based%20on%20your%20custom%20detections.%20We%20also%20have%20some%20changes%20to%20the%20schema%E2%80%94changes%20that%20will%20allow%20advanced%20hunting%20to%20scale%20and%20accommodate%20even%20more%20events%20and%20information%20types.%20%3CBR%20%2F%3EKeep%20on%20reading%20for%20the%20juicy%20details.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20size%3D%225%22%20color%3D%22%23003366%22%3EFind%20threat%20activity%20involving%20USB%20devices%3C%2FFONT%3E%3CBR%20%2F%3EWe%E2%80%99ve%20added%20support%20for%20the%20following%20new%20action%20types%20in%20the%20MiscEvent%20table%2C%20so%20you%20can%20find%20events%20related%20to%20mounting%20and%20unmounting%20of%20USB%20drives%20as%20well%20as%20setting%20of%20drive%20letters%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUsbDriveMount%3C%2FLI%3E%0A%3CLI%3EUsbDriveUnmount%3C%2FLI%3E%0A%3CLI%3EUsbDriveDriveLetterChanged%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EChecking%20USB%20drive%20events%20can%20help%20you%20locate%20attempts%20to%20introduce%20malware%20or%20steal%20sensitive%20information%20through%20removable%20drives.%20Each%20of%20these%20action%20types%20include%20relevant%20contextual%20information%2C%20such%20as%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDrive%20letter%3C%2FLI%3E%0A%3CLI%3EBus%20type%3C%2FLI%3E%0A%3CLI%3EProduct%20name%20of%20the%20device%3C%2FLI%3E%0A%3CLI%3EProduct%20revision%3C%2FLI%3E%0A%3CLI%3ESerial%20number%3C%2FLI%3E%0A%3CLI%3EManufacturer%3C%2FLI%3E%0A%3CLI%3EVolume%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3EPlease%20keep%20in%20mind%20these%20events%20are%20available%20only%20for%20RS6%20machines.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%23003366%22%3EMore%20automated%20responses%20to%20custom%20detections%3C%2FFONT%3E%3CBR%20%2F%3E%3CEM%3EHave%20you%20ever%20wanted%20to%20automatically%20isolate%20a%20machine%20or%20run%20an%20antivirus%20scan%20in%20response%20to%20a%20custom%20detection%3F%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIn%20addition%20to%20the%20current%20file-level%20actions%2C%20we%20just%20added%20support%20for%20a%20set%20of%20machine-level%20actions%20that%20can%20be%20taken%20automatically%20if%20a%20custom%20detection%20is%20triggered.%20You%20can%20now%20specify%20these%20actions%20when%20you%20create%20custom%20detection%20rules%2C%20or%20you%20can%20add%20them%20to%20your%20existing%20rules%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIsolate%20machine%20(new)%3C%2FLI%3E%0A%3CLI%3ECollect%20investigation%20package%20(new)%3C%2FLI%3E%0A%3CLI%3ERun%20antivirus%20scan%20(new)%3C%2FLI%3E%0A%3CLI%3EInitiate%20investigation%20(new)%3C%2FLI%3E%0A%3CLI%3EAllow%20%2F%20Block%20items%20by%20adding%20them%20to%20the%20indicator%20list%3C%2FLI%3E%0A%3CLI%3EQuarantine%20file%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%23003366%22%3ELet%E2%80%99s%20try%20them%20out%3C%2FFONT%3E%3CBR%20%2F%3ELet%E2%80%99s%20use%20the%20new%20USB%20events%20to%20create%20a%20custom%20detection%20rule%20that%20also%20leverages%20the%20new%20set%20of%20machine-level%20response%20actions.%3C%2FP%3E%0A%3CP%3EThe%20goal%20of%20this%20custom%20detection%20is%20to%20identify%20potentially%20malicious%20attempts%20to%20copy%20Word%20and%20PowerPoint%20files%20to%20a%20newly%20attached%20USB%20storage%20device.%20Once%20this%20activity%20is%20found%20on%20any%20machine%2C%20that%20machine%20should%20be%20automatically%20isolated%20from%20the%20network%20to%20suppress%20future%20exfiltration%20activity.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%20color%3D%22%23003366%22%3EFind%20possible%20exfiltration%20attempts%20via%20USB%3C%2FFONT%3E%3CBR%20%2F%3EThe%20following%20query%20finds%20attempts%20to%20copy%20at%20least%2010%20distinct%20documents%20within%2015%20minutes%20to%20a%20newly%20attached%20USB%20storage%20device.%20The%20query%20finds%20USB%20drive%20mounting%20events%20and%20extracts%20the%20assigned%20drive%20letter%20for%20each%20drive.%20It%20then%20finds%20file%20creation%20events%20on%20each%20drive%20letter%2C%20which%20maps%20to%20a%20freshly%20mounted%20USB%20device.%3CBR%20%2F%3ETry%20running%20the%20query%20by%20pasting%20it%20into%20the%20advanced%20hunting%20query%20editor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-ruby%22%3E%3CCODE%3EMiscEvents%0A%7C%20where%20EventTime%20%26gt%3B%20ago(1d)%20%0A%7C%20where%20ActionType%20%3D%3D%20%22UsbDriveMount%22%0A%7C%20project%20USBMountTime%20%3D%20EventTime%2C%20MachineId%2C%20AdditionalFields%0A%7C%20extend%20DriveLetter%20%3D%20tostring(todynamic(AdditionalFields).DriveLetter)%0A%7C%20join%20(%0AFileCreationEvents%0A%7C%20where%20EventTime%20%26gt%3B%20ago(1d)%20%0A%7C%20where%20ActionType%20%3D%3D%20%22FileCreated%22%0A%7C%20where%20FileName%20endswith%20%22.docx%22%20or%20FileName%20endswith%20%22.pptx%22%0A%7C%20parse%20FolderPath%20with%20DriveLetter%20'%5C%5C'%20*%20%0A%7C%20extend%20DriveLetter%20%3D%20tostring(DriveLetter)%20%0A)%0Aon%20MachineId%2C%20DriveLetter%0A%7C%20where%20(EventTime%20-%20USBMountTime)%20between%20(0min%20..%2015min)%0A%7C%20summarize%20DistinctFilesCopied%20%3D%20dcount(SHA1)%2C%20Events%3Dmakeset(pack(%22AccountName%22%2C%20InitiatingProcessAccountName%2C%20%22EventTime%22%2C%20EventTime%2C%20%22ReportId%22%2C%20ReportId%2C%20%22FileName%22%2C%20FileName%2C%20%22AdditionalDriveProperties%22%2C%20AdditionalFields))%20by%20MachineId%2C%20bin(EventTime%2C%2015m)%20%0A%7C%20where%20DistinctFilesCopied%20%26gt%3B%2010%0A%7C%20mv-expand%20Events%0A%7C%20extend%20EventTime%20%3D%20Events.EventTime%2C%20FileName%20%3D%20Events.FileName%2C%20AccountName%20%3D%20Events.AccountName%2C%20ReportId%20%3D%20Events.ReportId%2C%20AdditionalDriveProperties%20%3D%20Events.AdditionalDriveProperties%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20698px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128681i88E2579A50B18EAA%2Fimage-dimensions%2F698x405%3Fv%3D1.0%22%20width%3D%22698%22%20height%3D%22405%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CEM%3ERunning%20the%20query%20on%20advanced%20hunting%3C%2FEM%3E%3CBR%20%2F%3E%E2%80%83%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%20color%3D%22%23003366%22%3ECreate%20a%20custom%20detection%20rule%20from%20the%20query%3C%2FFONT%3E%3CBR%20%2F%3EIf%20you%20ran%20the%20query%20successfully%2C%20create%20a%20new%20detection%20rule.%20Remember%20to%20select%20Isolate%20machine%20from%20the%20list%20of%20machine%20actions.%20This%20option%20automatically%20prevents%20machines%20with%20alerts%20from%20connecting%20to%20the%20network.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20319px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128682iE3D7E73F1471EF8C%2Fimage-dimensions%2F319x515%3Fv%3D1.0%22%20width%3D%22319%22%20height%3D%22515%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ECreating%20a%20custom%20detection%20rule%20with%20isolate%20machine%20as%20a%20response%20action%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CFONT%20size%3D%225%22%20color%3D%22%23003366%22%3ESchema%20naming%20changes%20and%20deprecated%20columns%3C%2FFONT%3E%3CBR%20%2F%3EIn%20the%20following%20weeks%2C%20we%20plan%20to%20rename%20some%20tables%20and%20columns%2C%20allowing%20us%20to%20expand%20the%20naming%20convention%20and%20accommodate%20events%20from%20more%20sources.%20We%20are%20also%20deprecating%20a%20column%20that%20is%20rarely%20used%20and%20is%20not%20functioning%20optimally.%3CBR%20%2F%3E%E2%80%83%3CBR%20%2F%3E%3CFONT%20size%3D%224%22%20color%3D%22%23003366%22%3ENew%20%E2%80%9Cdevice%E2%80%9D%20prefix%20in%20table%20names%3C%2FFONT%3E%3CBR%20%2F%3EWe%20will%20broadly%20add%20a%20new%20prefix%20to%20the%20names%20of%20all%20tables%20that%20are%20populated%20using%20device-specific%20data.%20This%20will%20give%20way%20for%20other%20data%20sources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%3CSTRONG%3EOld%20table%20name%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3E%3CSTRONG%3ENew%20table%20name%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EAlertEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EAlertEvents%20(unchanged)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EMachineInfo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceInfo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EMachineNetworkInfo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceNetworkInfo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EProcessCreationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceProcessEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3ENetworkCommunicationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceNetworkEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EFileCreationEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceFileEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3ERegistryEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceRegistryEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3ELogonEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceLogonEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EImageLoadEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceImageLoadEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EMiscEvents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%0A%3CP%3EDeviceEvents%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3EWhile%20the%20old%20table%20names%20are%20in%20use%2C%20these%20new%20table%20names%20are%20already%20functional%20(i.e.%2C%20both%20sets%20of%20names%20are%20currently%20supported).%20In%20the%20upcoming%20weeks%2C%20when%20we%20start%20using%20the%20new%20names%20in%20the%20schema%20reference%20and%20documentation%2C%20the%20old%20names%20will%20continue%20to%20function.%20%3CEM%3EWe%20do%20advise%20updating%20queries%20as%20soon%20as%20possible.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%20color%3D%22%23003366%22%3ENew%20column%20names%3C%2FFONT%3E%3CBR%20%2F%3EWe%20are%20also%20renaming%20the%20following%20columns%20to%20ensure%20that%20their%20names%20remain%20meaningful%20when%20they%20are%20used%20across%20more%20tables.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20style%3D%22height%3A%20180px%3B%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3E%3CSTRONG%3EOld%20column%20name%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3E%3CSTRONG%3ENew%20column%20name%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3EEventTime%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3ETimestamp%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3EMachineId%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3EDeviceId%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3EComputerName%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3EDeviceName%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3ERegistryComputerTag%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3ERegistryDeviceTag%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%20style%3D%22height%3A%2030px%3B%22%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3ERemoteComputerName%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20style%3D%22height%3A%2030px%3B%20width%3A%20312.229px%3B%22%3E%0A%3CP%3ERemoteDeviceName%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%20color%3D%22%23003366%22%3EDeprecated%20column%3C%2FFONT%3E%3CBR%20%2F%3EThe%20rarely%20used%20column%20IsWindowsInfoProtectionApplied%20in%20the%20FileCreationEvents%20table%20will%20no%20longer%20be%20supported%20starting%20September%201%2C%202019.%20Saved%20queries%20that%20reference%20this%20column%20will%20return%20an%20error%2C%20unless%20edited%20manually%20to%20remove%20the%20reference.%3CBR%20%2F%3E--------------%3CBR%20%2F%3E%3CSTRONG%3EThat%20is%20all%20for%20my%20update%20this%20time.%20As%20always%2C%20please%20share%20your%20thoughts%20with%20us%20in%20the%20comment%20section%20below%20or%20use%20the%20feedback%20smileys%20in%20Microsoft%20Defender%20Security%20Center.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-824152%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%2C%20hunters!%20I%E2%80%99d%20like%20to%20share%20some%20of%20the%20work%20we%E2%80%99ve%20recently%20completed%20for%20advanced%20hunting%20on%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20(Microsoft%20Defender%20ATP).%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-824152%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Hello there, hunters! I’d like to share some of the work we’ve recently completed for advanced hunting on Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).


We’ve added some exciting new events as well as new options for automated response actions based on your custom detections. We also have some changes to the schema—changes that will allow advanced hunting to scale and accommodate even more events and information types.
Keep on reading for the juicy details.


Find threat activity involving USB devices
We’ve added support for the following new action types in the MiscEvent table, so you can find events related to mounting and unmounting of USB drives as well as setting of drive letters:

  • UsbDriveMount
  • UsbDriveUnmount
  • UsbDriveDriveLetterChanged

Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. Each of these action types include relevant contextual information, such as:

  • Drive letter
  • Bus type
  • Product name of the device
  • Product revision
  • Serial number
  • Manufacturer
  • Volume

Please keep in mind these events are available only for RS6 machines.

 

More automated responses to custom detections
Have you ever wanted to automatically isolate a machine or run an antivirus scan in response to a custom detection?


In addition to the current file-level actions, we just added support for a set of machine-level actions that can be taken automatically if a custom detection is triggered. You can now specify these actions when you create custom detection rules, or you can add them to your existing rules:

 

  • Isolate machine (new)
  • Collect investigation package (new)
  • Run antivirus scan (new)
  • Initiate investigation (new)
  • Allow / Block items by adding them to the indicator list
  • Quarantine file

Let’s try them out
Let’s use the new USB events to create a custom detection rule that also leverages the new set of machine-level response actions.

The goal of this custom detection is to identify potentially malicious attempts to copy Word and PowerPoint files to a newly attached USB storage device. Once this activity is found on any machine, that machine should be automatically isolated from the network to suppress future exfiltration activity.


Find possible exfiltration attempts via USB
The following query finds attempts to copy at least 10 distinct documents within 15 minutes to a newly attached USB storage device. The query finds USB drive mounting events and extracts the assigned drive letter for each drive. It then finds file creation events on each drive letter, which maps to a freshly mounted USB device.
Try running the query by pasting it into the advanced hunting query editor.

 

 

 

MiscEvents
| where EventTime > ago(1d) 
| where ActionType == "UsbDriveMount"
| project USBMountTime = EventTime, MachineId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
FileCreationEvents
| where EventTime > ago(1d) 
| where ActionType == "FileCreated"
| where FileName endswith ".docx" or FileName endswith ".pptx"
| parse FolderPath with DriveLetter '\\' * 
| extend DriveLetter = tostring(DriveLetter) 
)
on MachineId, DriveLetter
| where (EventTime - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "EventTime", EventTime, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by MachineId, bin(EventTime, 15m) 
| where DistinctFilesCopied > 10
| mv-expand Events
| extend EventTime = Events.EventTime, FileName = Events.FileName, AccountName = Events.AccountName, ReportId = Events.ReportId, AdditionalDriveProperties = Events.AdditionalDriveProperties

 

 

 

clipboard_image_0.png


Running the query on advanced hunting

Create a custom detection rule from the query
If you ran the query successfully, create a new detection rule. Remember to select Isolate machine from the list of machine actions. This option automatically prevents machines with alerts from connecting to the network.

clipboard_image_1.png

Creating a custom detection rule with isolate machine as a response action


Schema naming changes and deprecated columns
In the following weeks, we plan to rename some tables and columns, allowing us to expand the naming convention and accommodate events from more sources. We are also deprecating a column that is rarely used and is not functioning optimally.

New “device” prefix in table names
We will broadly add a new prefix to the names of all tables that are populated using device-specific data. This will give way for other data sources.

 

Old table name

New table name

AlertEvents

AlertEvents (unchanged)

MachineInfo

DeviceInfo

MachineNetworkInfo

DeviceNetworkInfo

ProcessCreationEvents

DeviceProcessEvents

NetworkCommunicationEvents

DeviceNetworkEvents

FileCreationEvents

DeviceFileEvents

RegistryEvents

DeviceRegistryEvents

LogonEvents

DeviceLogonEvents

ImageLoadEvents

DeviceImageLoadEvents

MiscEvents

DeviceEvents

 


While the old table names are in use, these new table names are already functional (i.e., both sets of names are currently supported). In the upcoming weeks, when we start using the new names in the schema reference and documentation, the old names will continue to function. We do advise updating queries as soon as possible.

 

New column names
We are also renaming the following columns to ensure that their names remain meaningful when they are used across more tables.

 

Old column name

New column name

EventTime

Timestamp

MachineId

DeviceId

ComputerName

DeviceName

RegistryComputerTag

RegistryDeviceTag

RemoteComputerName

RemoteDeviceName

 

Deprecated column
The rarely used column IsWindowsInfoProtectionApplied in the FileCreationEvents table will no longer be supported starting September 1, 2019. Saved queries that reference this column will return an error, unless edited manually to remove the reference.
--------------
That is all for my update this time. As always, please share your thoughts with us in the comment section below or use the feedback smileys in Microsoft Defender Security Center.

7 Comments
Occasional Contributor

Question,

I am not very proficient in this query language.  How would I modify the query to find exes that were launched from a usb drive?  I work for a school district and I am curious to see if students are able to launch programs that are not blocked by app locker.

Microsoft

Just switch the file creation events with the process event table and have the initating process path starts with the same letter as the drive letter. Let me know if you managed to make it work-

 

MiscEvents
| where EventTime > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = EventTime, MachineId, AdditionalFields, DriveLetter = tolower(tostring(todynamic(AdditionalFields).DriveLetter))
| join (
ProcessCreationEvents
| where EventTime > ago(1d)
| where ActionType == "ProcessCreated"
| project FileName, MachineId, DriveLetter = substring(InitiatingProcessFolderPath, 0,2), InitiatingProcessFolderPath
)
on MachineId, DriveLetter
Occasional Contributor

Thanks, I will give it a go. I really appreciate your time and contributions!

Occasional Visitor

Hi Daniel, thanks for your post. 

One question, can we block any usb except a one usb type? for example, block any USB except a sandisk USB model

New Contributor
Senior Member

Does this require a specific Windows version, or is back ported to earlier versions, including LTSB 1607?

 

Thanks

Microsoft

@Marco Schiffner These events are available only for RS6 machines. Backporting will be supported in the future.