Map external devices (1)

Hunt Hypothesis

An adversary may be attempting to establish unauthorized access by connecting external devices to the network, which could indicate the use of compromised or rogue hardware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms early.

KQL Query

// Query #2: map uncommon storage devices across the org
// This is a noisy query - but it can serve as reference for working with this event
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend
    DeviceDescription=tostring(parsed.DeviceDescription),
    ClassName=tostring(parsed.ClassName)
| where
    ClassName in ("DiskDrive", "CDROM")
    or ClassName contains "nas"
    or ClassName contains "SCSI"
    or (ClassName == "USB" and DeviceDescription contains "storage")
| summarize ComputerCount=dcount(DeviceName) by ClassName, DeviceDescription
| where ComputerCount < 5

Analytic Rule Definition

id: a091241a-5df7-497f-b4fa-b36641e7373d
name: Map external devices (1)
description: |
  Action "PnpDeviceConnected" reports the connection of any plug and play device.
  Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416.
  Query #1: look for rare one-time devices connected to a specific machine.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
query: |
  // Query #2: map uncommon storage devices across the org
  // This is a noisy query - but it can serve as reference for working with this event
  DeviceEvents
  | where ActionType == "PnpDeviceConnected"
  | extend parsed=parse_json(AdditionalFields)
  | extend
      DeviceDescription=tostring(parsed.DeviceDescription),
      ClassName=tostring(parsed.ClassName)
  | where
      ClassName in ("DiskDrive", "CDROM")
      or ClassName contains "nas"
      or ClassName contains "SCSI"
      or (ClassName == "USB" and DeviceDescription contains "storage")
  | summarize ComputerCount=dcount(DeviceName) by ClassName, DeviceDescription
  | where ComputerCount < 5

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exfiltration/Map external devices (1).yaml)

False Positive Guidance

Scenario: System backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes related to veeam or VeeamBackup using the process.name field.
Example Filter: process.name != "veeam" AND process.name != "VeeamBackup"
Scenario: Scheduled maintenance task using Windows Task Scheduler
Filter/Exclusion: Exclude tasks with taskname containing “Maintenance” or “ScheduledTask” using the task.name field.
Example Filter: task.name NOT LIKE "%Maintenance%" AND task.name NOT LIKE "%ScheduledTask%"
Scenario: Database backup using Oracle Data Pump
Filter/Exclusion: Exclude processes related to expdp or impdp using the process.name field.
Example Filter: process.name != "expdp" AND process.name != "impdp"
Scenario: Log file rotation using logrotate utility (Linux)
Filter/Exclusion: Exclude processes related to logrotate using the process.name field.
Example Filter: process.name != "logrotate"
Scenario: Admin task for device enumeration using PowerShell
Filter/Exclusion: Exclude PowerShell scripts with Get-WmiObject or Get-CimInstance related to device discovery.
Example Filter: process.name != "powershell.exe" OR (process.name == "powershell.exe" AND script.name NOT LIKE "%Get-WmiObject%")