Hi Guys,
i have build a KQL code for MATP Hunting but i need some help, for now i can classify between a Realtek USB WiFi driver and the Lan Turtle... But i also want to report IP Address & Port its assigning to the Lan Turtle Device, here is my code below, and a screen shots what i can see for now
Kusto Code (KQL)
MiscEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend
DeviceDescription=tostring(parsed.DeviceDescription),
ClassName=tostring(parsed.ClassName)
| where
ClassName contains "Net" and DeviceDescription contains "Realtek USB FE Family Controller"
| summarize ComputerCount=dcount(ComputerName) by ClassName, DeviceDescription, ComputerName
please see attached picture..
here is the drivers it uses, in event viewer
Device Install Requested
Device USB\VID_0BDA&PID_8152\00E04C365BD5 requires further installation.
Driver Name: rtux64w10.inf
Device USB\VID_0BDA&PID_8152\00E04C365BD5 was configured.
Driver Name: rtux64w10.inf
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Driver Date: 09/20/2015
Driver Version: 10.5.920.2015
Driver Provider: Microsoft
Driver Section: RTL8152B.ndi.NT
Driver Rank: 0xFF0000
Matching Device Id: USB\VID_0BDA&PID_8152&REV_2000
Outranked Drivers: rtux64w10.inf:USB\VID_0BDA&PID_8152:00FF0001
Device Updated: false
Parent Device: USB\VID_045E&PID_0944\6&15ba3093&0&1
Driver Management concluded the process to install driver rtux64w10.inf_amd64_d6132e4c7fe2fac6 for Device Instance ID USB\VID_0BDA&PID_8152\00E04C365BD5 with the following status: 0x0.
