Devices By Specific DeviceType and DeviceSubtype

Hunt Hypothesis

Devices of a specific type and subtype may indicate the presence of compromised or unauthorized hardware that could be used as a pivot point in an attack. SOC teams should proactively hunt for this behavior to identify potential lateral movement or persistence mechanisms in their Azure Sentinel environment.

KQL Query

// Specify the wanted DeviceType and/or DeviceSubtype
let HuntedDeviceType = "NetworkDevice";
let HuntedDeviceSubtype = "Router";
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where DeviceType == HuntedDeviceType and DeviceSubtype  == HuntedDeviceSubtype

Analytic Rule Definition

id: 88adf141-5058-4f0f-a665-cd56eed754a5
name: Devices By Specific DeviceType and DeviceSubtype
description: |
  This query finds devices by DeviceType and/or DeviceSubtype
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics: []
relevantTechniques: []
query: |
  // Specify the wanted DeviceType and/or DeviceSubtype
  let HuntedDeviceType = "NetworkDevice";
  let HuntedDeviceSubtype = "Router";
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | where DeviceType == HuntedDeviceType and DeviceSubtype  == HuntedDeviceSubtype

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Devices By Specific DeviceType and DeviceSubtype.yaml)

False Positive Guidance

• Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication on a server with the DeviceType “Virtual Machine” and DeviceSubtype “VMware ESXi”.

  • Filter/Exclusion: Exclude devices associated with Veeam Backup & Replication using a field like process.name or tool.name to filter out backup-related activity.

• Scenario: A database administrator is running a SQL Server Agent Job on a SQL Server instance with DeviceType “Database Server” and DeviceSubtype “Microsoft SQL Server”.

  • Filter/Exclusion: Exclude processes related to SQL Server Agent Jobs by checking the process.name or job.name field to avoid false positives from routine maintenance tasks.

• Scenario: A DevOps team is deploying a new Docker container on a host machine with DeviceType “Container” and DeviceSubtype “Docker”.

  • Filter/Exclusion: Exclude containers created by Docker using a field like container.name or process.parent to differentiate between legitimate container deployments and malicious activity.

• Scenario: An IT technician is using PowerShell to configure network settings on a Windows Server with DeviceType “Server” and DeviceSubtype “Windows Server”.

  • Filter/Exclusion: Exclude processes with process.name containing “PowerShell” or use a field like user.name to identify administrative tasks performed by authorized users.

• Scenario: A cloud administrator is provisioning a new AWS EC2 instance with DeviceType “Virtual Machine” and DeviceSubtype “Amazon EC2”.

  • Filter/Exclusion: Exclude devices with a cloud.provider field set to “AWS” or use a process.name filter to exclude AWS CLI or SDK-related activity.