Merge pull request #188 from AntoineJo/patch-2

New queries based on customer requests

Author: tali-ash

Exfiltration/Data copied to other location than C:.txt

@@ -0,0 +1,11 @@
+//Check all created files
+// that does not have extension ps1, bat or cmd to avoid IT Pro scripts
+// that are not copied to C:\ to detect all file share, external drive, data partition that are not allowed, etc.
+// this could help to detect malicious insider/user that has unencrypted data partition and that are using it to exfiltrate data even while removable devices & cloud storage is blocked
+DeviceFileEvents
+| where ActionType == "FileCreated"
+| extend extension= extract(@".*(\..*)$",1,FileName)
+| where extension !in (".ps1",".bat",".cmd")
+| extend DriveLetterOrShare=split(FolderPath,':')[0]
+| where DriveLetterOrShare != 'C'
+| project tostring(DriveLetterOrShare), FolderPath, FileName, DeviceId, DeviceName, ReportId, Timestamp, ShareName, IsAzureInfoProtectionApplied, SensitivityLabel, SensitivitySubLabel, InitiatingProcessFileName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine

Persistence/localAdminAccountLogon.txt

@@ -0,0 +1,5 @@
+//This query looks for local admin account used to logon into the computer
+//this can help to detect malicious insiders that were able to add a local account to the local admin group offline
+DeviceLogonEvents
+| where IsLocalAdmin == 1
+ and AccountDomain == DeviceName