Decode VolumeDeviceCharacteristics Bitmask

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Decode VolumeDeviceCharacteristics Bitmask

# Description of what the query does and its purpose.
description: The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  | bitfield:extractFlags(
   field=VolumeDeviceCharacteristics,
    output=[
      [0,FILE_REMOVABLE_MEDIA],
      [1,FILE_READ_ONLY_DEVICE],
      [2,FILE_FLOPPY_DISKETTE],
      [3,FILE_WRITE_ONCE_MEDIA],
      [4,FILE_REMOTE_DEVICE],
      [5,FILE_DEVICE_IS_MOUNTED],
      [6,FILE_VIRTUAL_VOLUME],
      [7,FILE_AUTOGENERATED_DEVICE_NAME],
      [8,FILE_DEVICE_SECURE_OPEN],
      [9,FILE_CHARACTERISTIC_PNP_DEVICE],
      [10,FILE_CHARACTERISTIC_TS_DEVICE],
      [11,FILE_CHARACTERISTIC_WEBDAV_DEVICE],
      [12,FILE_CHARACTERISTIC_CSV],
      [13,FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL],
      [14,FILE_PORTABLE_DEVICE]
  ])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20VolumeDeviceCharacteristics%20Bitmask.md)