← Back to Explore
kqlHunting
Potentially Unsanctioned Application Usage
This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check
Detection Query
// This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check
let DisallowedProcessNames = externaldata (DisallowedProcess: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/DisallowedProcessList.txt'] with (format=txt);
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where FileName in~(DisallowedProcessNames) or InitiatingProcessFileName has_any(DisallowedProcessNames)// or InitiatingProcessCommandLine has_any(DisallowedProcessNames)
| extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by FileName, InitiatingProcessFileName,ProcessVersionInfoCompanyName//VT_hash, ProcessCommandLineData Sources
DeviceProcessEvents
Platforms
windows
Tags
defenderioc
Raw Content
// This query looks for application names that may be unwanted using Process Name in DeviceProcessEvents. Searching by name is limited but can be fast for a quick check
let DisallowedProcessNames = externaldata (DisallowedProcess: string) [@'https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/Intune/DisallowedProcessList.txt'] with (format=txt);
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where FileName in~(DisallowedProcessNames) or InitiatingProcessFileName has_any(DisallowedProcessNames)// or InitiatingProcessCommandLine has_any(DisallowedProcessNames)
| extend VT_hash = iff(isnotempty(SHA1),strcat(@"https://www.virustotal.com/gui/file/",SHA1),SHA1)
| summarize count() by FileName, InitiatingProcessFileName,ProcessVersionInfoCompanyName//VT_hash, ProcessCommandLine