Detect Banned Files Written to Computer Using KQL in VMware Carbon Black App Control

This KQL query detects banned files written to computers by VMware Carbon Black App Control. It targets security events logged by the product, filtering for activities where banned files have been written, and surfaces key details like time, host, user, and file path. Leveraging Kusto Query Language (KQL) enables efficient, scalable detection and monitoring of risky file activity across your environment.

Risk

Adversaries often rely on users opening malicious files to achieve code execution. Social engineering techniques trick users into opening weaponized files, typically seen as follow-on activity from spearphishing attachments. Malicious file types commonly involved include .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Detecting banned file writes early helps prevent execution of harmful payloads and limits breach impact.

Query

Microsoft Sentinel

CommonSecurityLog
| where DeviceVendor == "VMware Carbon Black"
| where DeviceProduct == "App Control"
| where Activity == "Banned file written to computer"
| project TimeGenerated, DestinationHostName, DestinationIP, DestinationUserName, FilePath, FileName

About this query:

This query filters logs from VMware Carbon Black App Control to identify when banned files are written to endpoints. It projects useful details such as the timestamp, affected host, IP address, user, and exact file location, providing security analysts clear indicators for investigation and response.

References

• Microsoft Sentinel VMware Carbon Black Connector
• VMware Carbon Black App Control Events Guide (PDF)