-
Notifications
You must be signed in to change notification settings - Fork 1
/
usb-threats.kql
17 lines (17 loc) · 952 Bytes
/
usb-threats.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// USB threat statistics by drive letter (not "C:\").
// A single event (the latest) is taken per device.
AlertInfo
| where Timestamp > ago(180d)
and DetectionSource in ("Antivirus", "EDR")
| join AlertEvidence on AlertId
| where isnotempty(FolderPath) and FolderPath !startswith @"C:\" // external USB devices
| extend AdditionalFields = parse_json(AdditionalFields)
| extend DeviceName = iff(isempty(AdditionalFields.Host), AdditionalFields.HostName, AdditionalFields.Host.HostName)
| extend MachineId = iff(isempty(AdditionalFields.Host), AdditionalFields.MachineId, AdditionalFields.Host.MachineId)
| extend DriveLetter = toupper(tostring(split(FolderPath, @"\")[0]))
// | extend Malware = tostring(split(Title, @"'")[1]) // malware name
| where DriveLetter endswith ":" // filter out edge cases
| summarize arg_max(Timestamp, *) by tostring(DeviceName)
| summarize Total = count(DriveLetter) by DriveLetter
| sort by Total
| render piechart;