Detect Suspicious Files with VMware Carbon Black Using KQL Query
This KQL query detects suspicious files flagged by VMware Carbon Black App Control, enabling security analysts to pinpoint potential risky files that could lead to malicious code execution. By focusing on specific file types and suspicious activity alerts, this query aids in proactive threat hunting and incident response.
Risk
Adversaries often rely on social engineering to trick users into opening malicious files, which then execute harmful code on their systems. These files commonly come in formats such as .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. This attack vector is frequently observed following spearphishing campaigns, where the user action of opening the file triggers further malicious behavior.
Query
Microsoft Sentinel
CommonSecurityLog
| where DeviceVendor == "VMware Carbon Black"
| where DeviceProduct == "App Control"
| where Activity == "Suspicious file found"
| summarize Count=count() by DestinationHostName, Activity, ProcessName, FilePathAbout this query:
This KQL query searches VMware Carbon Black logs within Microsoft Sentinel, filtering events where suspicious files are detected. It then groups results by the host, activity type, process involved, and file path, summarizing the count of occurrences.