-
Notifications
You must be signed in to change notification settings - Fork 0
/
MDE-Machine Download Report
120 lines (120 loc) · 6.96 KB
/
MDE-Machine Download Report
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
//will output all file downloads on a specific device.
//This query should output where the url/remoteip download came from and where it was saved. This must work for both Windows and Mac OS.
//It should include downloads from any web browser, any office application, or even a powershell download.
//IT will also output for a specific device of all web browsing activity from all web browsers on both Windows and Mac OS workstations.
// Don't recall where I found this query - would like to credit whomever wrote it...
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where DeviceId == "xxxxxxxxxxxx"
| where RemoteUrl != ""
| where RemotePort == "80"
or RemotePort == "443"
| where InitiatingProcessVersionInfoProductName has "360 Extreme"
or InitiatingProcessVersionInfoProductName has "360 Security"
or InitiatingProcessVersionInfoProductName has "Acoo"
or InitiatingProcessVersionInfoProductName has "Amaya"
or InitiatingProcessVersionInfoProductName has "AOL Explorer"
or InitiatingProcessVersionInfoProductName has "Arachne"
or InitiatingProcessVersionInfoProductName has "Arora"
or InitiatingProcessVersionInfoProductName has "Avant Browser"
or InitiatingProcessVersionInfoProductName has "AWeb"
or InitiatingProcessVersionInfoProductName has "Baidu Browser"
or InitiatingProcessVersionInfoProductName has "Beonex"
or InitiatingProcessVersionInfoProductName has "Bitty"
or InitiatingProcessVersionInfoProductName has "Brave"
or InitiatingProcessVersionInfoProductName has "BriskBard"
or InitiatingProcessVersionInfoProductName has "Browse3D"
or InitiatingProcessVersionInfoProductName has "Camino"
or InitiatingProcessVersionInfoProductName == "Google Chrome"
or InitiatingProcessVersionInfoProductName == "Chromium"
or InitiatingProcessVersionInfoProductName has "Citrio"
or InitiatingProcessVersionInfoProductName has "Classilla"
or InitiatingProcessVersionInfoProductName has "CometBird"
or InitiatingProcessVersionInfoProductName has "Comodo"
or InitiatingProcessVersionInfoProductName has "Conkeror"
or InitiatingProcessVersionInfoProductName has "Crazy"
or InitiatingProcessVersionInfoProductName has "Crusta"
or InitiatingProcessVersionInfoProductName has "Deepnet"
or InitiatingProcessVersionInfoProductName has "Dillo"
or InitiatingProcessVersionInfoProductName has "Dooble"
or InitiatingProcessVersionInfoProductName == "Microsoft Edge"
or InitiatingProcessVersionInfoProductName has "Elinks"
or InitiatingProcessVersionInfoProductName has "Enigma"
or InitiatingProcessVersionInfoProductName has "Epic"
or InitiatingProcessVersionInfoProductName == "Firefox"
or InitiatingProcessVersionInfoProductName has "Flock"
or InitiatingProcessVersionInfoProductName has "Fluid"
or InitiatingProcessVersionInfoProductName has "Galeon"
or InitiatingProcessVersionInfoProductName has "GNU IceCat"
or InitiatingProcessVersionInfoProductName has "Grail"
or InitiatingProcessVersionInfoProductName has "GreenBrowser"
or InitiatingProcessVersionInfoProductName has "Ibrowse"
or InitiatingProcessVersionInfoProductName has "iCab"
or InitiatingProcessVersionInfoProductName has "Iceweasel"
or InitiatingProcessVersionInfoProductName == "Internet Explorer"
or InitiatingProcessVersionInfoProductName has "Iron Browser"
or InitiatingProcessVersionInfoProductName has "Kazehakase"
or InitiatingProcessVersionInfoProductName has "KidRocket"
or InitiatingProcessVersionInfoProductName has "KidZui"
or InitiatingProcessVersionInfoProductName has "K-Meleon"
or InitiatingProcessVersionInfoProductName has "Konqueror"
or InitiatingProcessVersionInfoProductName has "Kylo"
or InitiatingProcessVersionInfoProductName has "Links"
or InitiatingProcessVersionInfoProductName has "Lobo"
or InitiatingProcessVersionInfoProductName has "Lunascape"
or InitiatingProcessVersionInfoProductName has "Lynx"
or InitiatingProcessVersionInfoProductName has "Maxthon"
or InitiatingProcessVersionInfoProductName has "MenuBox"
or InitiatingProcessVersionInfoProductName has "Midori"
or InitiatingProcessVersionInfoProductName has "Mozilla"
or InitiatingProcessVersionInfoProductName has "Nano"
or InitiatingProcessVersionInfoProductName has "NeoPlanet"
or InitiatingProcessVersionInfoProductName has "Netscape"
or InitiatingProcessVersionInfoProductName has "NetSurf"
or InitiatingProcessVersionInfoProductName has "Nuke"
or InitiatingProcessVersionInfoProductName has "OmniWeb"
or InitiatingProcessVersionInfoProductName startswith "Opera Internet"
or InitiatingProcessVersionInfoProductName has "Otter"
or InitiatingProcessVersionInfoProductName has "Pale Moon"
or InitiatingProcessVersionInfoProductName has "Pink browser"
or InitiatingProcessVersionInfoProductName has "Polarity"
or InitiatingProcessVersionInfoProductName has "QtWeb"
or InitiatingProcessVersionInfoProductName has "QupZilla"
or InitiatingProcessVersionInfoProductName has "rekonq"
or InitiatingProcessVersionInfoProductName has "Roccat"
or InitiatingProcessVersionInfoProductName has "Rockmelt"
or InitiatingProcessVersionInfoProductName has "Safari"
or InitiatingProcessVersionInfoProductName has "SafeZone"
or InitiatingProcessVersionInfoProductName has "SeaMonkey"
or InitiatingProcessVersionInfoProductName has "ShenzBrowser"
or InitiatingProcessVersionInfoProductName has "Shiira"
or InitiatingProcessVersionInfoProductName has "Sleipnir"
or InitiatingProcessVersionInfoProductName has "Slim"
or InitiatingProcessVersionInfoProductName has "SlimBoat"
or InitiatingProcessVersionInfoProductName has "Sogou"
or InitiatingProcessVersionInfoProductName has "space time"
or InitiatingProcessVersionInfoProductName has "Stainless"
or InitiatingProcessVersionInfoProductName has "surf"
or InitiatingProcessVersionInfoProductName has "Swiftfox"
or InitiatingProcessVersionInfoProductName has "Swiftweasel"
or InitiatingProcessVersionInfoProductName has "TenFourFox"
or InitiatingProcessVersionInfoProductName has "The World"
or InitiatingProcessVersionInfoProductName has "Timberwolf"
or InitiatingProcessVersionInfoProductName has "Titan"
or InitiatingProcessVersionInfoProductName has "Tor"
or InitiatingProcessVersionInfoProductName has "Torch Browser"
or InitiatingProcessVersionInfoProductName has "TT"
or InitiatingProcessVersionInfoProductName has "UC Browser"
or InitiatingProcessVersionInfoProductName has "Ultrabrowser"
or InitiatingProcessVersionInfoProductName has "uzbl"
or InitiatingProcessVersionInfoProductName has "Vivaldi"
or InitiatingProcessVersionInfoProductName has "Voyager"
or InitiatingProcessVersionInfoProductName has "Waterfox"
or InitiatingProcessVersionInfoProductName has "WebPositive"
or InitiatingProcessVersionInfoProductName has "Wyzo"
or InitiatingProcessVersionInfoProductName has "xB Browser"
or InitiatingProcessVersionInfoProductName has "xombrero"
or InitiatingProcessVersionInfoProductName has "Xtravo"
or InitiatingProcessVersionInfoProductName has "Yandex"
or InitiatingProcessVersionInfoProductName has "ZAC"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessVersionInfoProductName