Anomalous Device Models

Hunt Hypothesis

Adversaries may be using uncommon device models to evade detection and blend in with legitimate traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of endpoints or unauthorized device access.

KQL Query

// 
let AnomalousModelCount = 5;
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| summarize ModelAppearanceCount=dcount(DeviceId) by Model
| where ModelAppearanceCount < AnomalousModelCount

Analytic Rule Definition

id: 9ec67c0b-e319-4f1c-bbea-67119d03740a
name: Anomalous Device Models
description: |
  This query finds anomalous models discovered
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics: []
relevantTechniques: []
query: |
  // 
  let AnomalousModelCount = 5;
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | summarize ModelAppearanceCount=dcount(DeviceId) by Model
  | where ModelAppearanceCount < AnomalousModelCount

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Anomalous Device Models.yaml)

False Positive Guidance

• Scenario: A system administrator is using a third-party tool like Ansible or Puppet to deploy configuration changes across multiple devices.
  Filter/Exclusion: Exclude events related to known configuration management tools (e.g., process.name: Ansible or process.name: puppet).

• Scenario: A scheduled job runs PowerShell scripts to automate routine tasks such as log rotation or backup, which may involve uncommon device models.
  Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., process.parent_process_name: Task Scheduler or process.command_line: powershell.exe -Command).

• Scenario: A security team member is testing a new endpoint detection and response (EDR) tool like CrowdStrike or Microsoft Defender on a test machine, which may report unusual device models.
  Filter/Exclusion: Exclude processes associated with EDR tools (e.g., process.name: fwctrl or process.name: mfe).

• Scenario: A database administrator is using SQL Server Agent to run maintenance jobs, which may involve devices with non-standard model names.
  Filter/Exclusion: Exclude events related to SQL Server Agent jobs (e.g., process.parent_process_name: sqlagent.exe or process.command_line: sqlcmd).

• Scenario: A developer is using a virtualization tool like VMware vSphere or Microsoft Hyper-V to run virtual machines, which may report device models that are not typical for physical hardware.
  Filter/Exclusion: Exclude events related to virtualization platforms (e.g., process.name: vmtoolsd or process.name: hypervisor or process.parent_process_name: vmrun).