EXPLORE
Sign In
← Back to Explore
kqlHunting

Monitor DLLs by Signer

change to 30d if using advanced hunting with no sentinel

Detection Query

DeviceImageLoadEvents
| where TimeGenerated > ago(90d) //change to 30d if using advanced hunting with no sentinel
| where FileName contains ".dll"
| join kind=leftouter DeviceFileCertificateInfo on $left.SHA1 == $right.SHA1
| where FileName contains ".dll"
| summarize make_set(FileName) by Signer

Data Sources

DeviceImageLoadEvents

Platforms

windowsazure-sentinel

Tags

defenderhunting
Raw Content
 DeviceImageLoadEvents
| where TimeGenerated > ago(90d) //change to 30d if using advanced hunting with no sentinel
| where FileName contains ".dll"
| join kind=leftouter DeviceFileCertificateInfo on $left.SHA1 == $right.SHA1
| where FileName contains ".dll"
| summarize make_set(FileName) by Signer