Monitoring Tamper Protection Triggers via KQL in Microsoft Sentinel
Security teams using Microsoft Sentinel can leverage KQL to detect tamper protection alerts triggered by VMware Carbon Black App Control. These alerts typically indicate unauthorized attempts to interfere with system protection features, and timely detection is crucial for minimizing the attack surface. This query focuses on identifying relevant events in logs coming from the VMware App Control data connector.
Risk
Tamper protection alerts often signal attempts to disable or bypass critical security mechanisms, which may be indicative of malware or insider threats. Failing to respond promptly can lead to compromised endpoints and undetected persistence mechanisms.
Query
Microsoft Sentinel
CommonSecurityLog
| where DeviceVendor == "VMware Carbon Black"
| where DeviceProduct == "App Control"
| where Activity == "Tamper Protection"
| project TimeGenerated, DestinationHostName, DestinationIP, DestinationUserName, FilePath, FileNameQuery Overview:
This KQL query filters security logs for events where the vendor is “VMware Carbon Black” and the product is “App Control”. It then narrows down to entries where the activity is flagged as “Tamper Protection”, projecting useful fields like timestamp, affected host, user involved, and file details to support triage and investigation.