Unusual external device connections in the Azure environment may indicate lateral movement or unauthorized access attempts by adversaries seeking to establish persistence. SOC teams should proactively hunt for this behavior to identify potential compromise and mitigate risks associated with unauthorized device interactions.
KQL Query
let DeviceNameParam = "<replace this with full computer name>";
// Query for device connection events
let devices =
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| project
DeviceDescription=tostring(parsed.DeviceDescription),
ClassName=tostring(parsed.ClassName),
DeviceId=tostring(parsed.VendorIds),
VendorIds=tostring(parsed.VendorIds),
DeviceName, Timestamp ;
// Filter devices seen on the suspected machine
devices | where DeviceName == DeviceNameParam
// Get some stats on the device connections to that machine
| summarize TimesConnected=count(), FirstTime=min(Timestamp), LastTime=max(Timestamp) by DeviceId, DeviceDescription, ClassName, VendorIds, DeviceName
// Optional filter - looking for devices used in only within 24h
| where LastTime - FirstTime < 1d
// Filter out (antijoin) devices that are common in the organization.
// We use here multiple identifiers, including a pseudo-unique device ID.
// So, a specific disk-on-key device which model is common in the org will still be shown in the results,
// while built-in software devices (often have constant device ID) as well as common network devices (e.g. printer queues) will be excluded.
| join kind=leftanti
(devices | summarize Machines=dcount(DeviceName) by DeviceId, DeviceDescription, VendorIds | where Machines > 5)
on DeviceId, DeviceDescription, VendorIds
id: 10838671-0c35-4d5b-95f8-06d5b4d5bf61
name: Map external devices
description: |
Action "PnpDeviceConnected" reports the connection of any plug and play device.
Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416.
Query #1: look for rare one-time devices connected to a specific machine.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let DeviceNameParam = "<replace this with full computer name>";
// Query for device connection events
let devices =
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| project
DeviceDescription=tostring(parsed.DeviceDescription),
ClassName=tostring(parsed.ClassName),
DeviceId=tostring(parsed.VendorIds),
VendorIds=tostring(parsed.VendorIds),
DeviceName, Timestamp ;
// Filter devices seen on the suspected machine
devices | where DeviceName == DeviceNameParam
// Get some stats on the device connections to that machine
| summarize TimesConnected=count(), FirstTime=min(Timestamp), LastTime=max(Timestamp) by DeviceId, DeviceDescription, ClassName, VendorIds, DeviceName
// Optional filter - looking for devices used in only within 24h
| where LastTime - FirstTime < 1d
// Filter out (antijoin) devices that are common in the organization.
// We use here multiple identifiers, including a pseudo-unique device ID.
// So, a specific disk-on-key device which model is common in the org will still be shown in the results,
// while built-in software devices (often have constant device ID) as well as common network devices (e.g. printer queues) will be excluded.
| join kind=leftanti
(devices | summarize Machines=dcount(DeviceName) by DeviceId, DeviceDescription, VendorIds | where Machines > 5)
on DeviceId, DeviceDescription, VendorIds
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude events where the source is VeeamBackupService or where the process name contains VeeamBackup.
Scenario: Admin task to map network drives using PowerShell
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes net use or New-PSDrive.
Scenario: Automated device mapping for cloud storage integration (e.g., AWS S3 sync)
Filter/Exclusion: Exclude events where the source is a cloud integration tool like AWS CLI or AWS S3 Sync Tool and the command line includes s3 sync.
Scenario: User manually mapping a network drive via GUI (e.g., Windows Explorer)
Filter/Exclusion: Exclude events where the user is a system administrator and the action is initiated from the Computer or This PC interface in Windows Explorer.
Scenario: Regular maintenance task to map devices for backup (e.g., Acronis True Image)
Filter/Exclusion: Exclude events where the process name is AcronisTrueImage.exe or where the command line includes backup or map device.