Detect Malicious Files Using KQL in VMware Carbon Black App Control
Using KQL (Kusto Query Language), you can efficiently identify malicious files detected by VMware Carbon Black App Control. This query filters security logs to list incidents where malicious files triggered alerts, helping security teams quickly pinpoint threats based on file attributes like name, path, and user activity. Monitoring these detections aids in early identification of potentially harmful files executed within your environment.
Risk
An attacker often depends on tricking users into opening malicious files to execute harmful code. Social engineering tactics, such as spearphishing attachments, typically lead to these user-initiated actions. The malicious files can come in various forms, including but not limited to .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl file types. Once executed, these files may compromise system security or allow adversaries to escalate their access.
Query
Microsoft Sentinel
CommonSecurityLog
| where DeviceVendor == "VMware Carbon Black"
| where DeviceProduct == "App Control"
| where Activity == "Malicious file detected"
| project TimeGenerated, DestinationHostName, DestinationIP, DestinationUserName, FilePath, FileNameAbout this query:
This query scans the common security logs in Microsoft Sentinel to isolate events where VMware Carbon Black App Control reports a malicious file detection. The projected columns provide timestamps, affected hosts, IP addresses, usernames, and specific file details to aid in incident investigation.