AV Detections with Source

Hunt Hypothesis

Adversaries may use AV detection sources to exfiltrate data or establish command and control, making early identification critical. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential malware distribution or data exfiltration attempts.

KQL Query

let avDetections =
DeviceEvents
| where ActionType == "AntivirusDetection" and isnotempty(MD5)
| extend ParsedFields=parse_json(AdditionalFields)
| project Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath, MD5;
//Get a list of file creations
let fileCreations =
DeviceFileEvents 
| where (isnotempty(FileOriginReferrerUrl) or isnotempty(FileOriginUrl)) and isnotempty(MD5)
| project MD5, FileOriginUrl, FileOriginReferrerUrl, InitiatingProcessFileName, InitiatingProcessParentFileName;
//Join the file creations and AV detections on the MD5 of the file
avDetections | join kind=inner (fileCreations) on MD5
| project-away MD51 //Remove the duplicated MD5 field
| sort by Timestamp desc

Analytic Rule Definition

id: 52c9e90b-84f4-4e2d-ae3d-eef85e8aa069
name: AV Detections with Source
description: |
  This query shows the source of the AV detections (e.g., the website the file was downloaded from etc.).
  Get the list of AV detections.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
  - DeviceFileEvents
query: |
  let avDetections =
  DeviceEvents
  | where ActionType == "AntivirusDetection" and isnotempty(MD5)
  | extend ParsedFields=parse_json(AdditionalFields)
  | project Timestamp, DeviceName, ThreatName=tostring(ParsedFields.ThreatName), FileName, FolderPath, MD5;
  //Get a list of file creations
  let fileCreations =
  DeviceFileEvents 
  | where (isnotempty(FileOriginReferrerUrl) or isnotempty(FileOriginUrl)) and isnotempty(MD5)
  | project MD5, FileOriginUrl, FileOriginReferrerUrl, InitiatingProcessFileName, InitiatingProcessParentFileName;
  //Join the file creations and AV detections on the MD5 of the file
  avDetections | join kind=inner (fileCreations) on MD5
  | project-away MD51 //Remove the duplicated MD5 field
  | sort by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceEvents`	Ensure this data connector is enabled
`DeviceFileEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Protection events/AV Detections with Source.yaml)

False Positive Guidance

Scenario: A legitimate system update is being downloaded from a known Microsoft server.
Filter/Exclusion: Exclude IP addresses or domains associated with Microsoft update servers (e.g., update.microsoft.com, download.microsoft.com).
Scenario: A security tool like Maltego or OSSEC is performing a network scan or data collection.
Filter/Exclusion: Exclude processes or domains associated with security tools (e.g., maltego.com, ossec.net).
Scenario: An administrator is running a scheduled antivirus scan using Microsoft Defender or ClamAV.
Filter/Exclusion: Exclude processes related to scheduled scans (e.g., MsMpEng.exe, clamscan), or filter by process name.
Scenario: A user is downloading a safe file from an internal repository (e.g., Artifactory or Nexus) for development purposes.
Filter/Exclusion: Exclude internal repository domains (e.g., artifactory.example.com, nexus.internal.example.com).
Scenario: A log management tool like Splunk or ELK Stack is ingesting logs from AV sensors.
Filter/Exclusion: Exclude processes or domains associated with log management tools (e.g., splunk.com, elasticsearch.example.com).