An adversary may be attempting to establish unauthorized access by connecting external devices to the network, which could indicate the use of compromised or rogue hardware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms early.
KQL Query
// Query #2: map uncommon storage devices across the org
// This is a noisy query - but it can serve as reference for working with this event
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend
DeviceDescription=tostring(parsed.DeviceDescription),
ClassName=tostring(parsed.ClassName)
| where
ClassName in ("DiskDrive", "CDROM")
or ClassName contains "nas"
or ClassName contains "SCSI"
or (ClassName == "USB" and DeviceDescription contains "storage")
| summarize ComputerCount=dcount(DeviceName) by ClassName, DeviceDescription
| where ComputerCount < 5
id: a091241a-5df7-497f-b4fa-b36641e7373d
name: Map external devices (1)
description: |
Action "PnpDeviceConnected" reports the connection of any plug and play device.
Read more online on event 6416: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-6416.
Query #1: look for rare one-time devices connected to a specific machine.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
// Query #2: map uncommon storage devices across the org
// This is a noisy query - but it can serve as reference for working with this event
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend
DeviceDescription=tostring(parsed.DeviceDescription),
ClassName=tostring(parsed.ClassName)
| where
ClassName in ("DiskDrive", "CDROM")
or ClassName contains "nas"
or ClassName contains "SCSI"
or (ClassName == "USB" and DeviceDescription contains "storage")
| summarize ComputerCount=dcount(DeviceName) by ClassName, DeviceDescription
| where ComputerCount < 5
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: System backup using Veeam Backup & Replication
Filter/Exclusion: Exclude processes related to veeam or VeeamBackup using the process.name field.
Example Filter: process.name != "veeam" AND process.name != "VeeamBackup"
Scenario: Scheduled maintenance task using Windows Task Scheduler
Filter/Exclusion: Exclude tasks with taskname containing “Maintenance” or “ScheduledTask” using the task.name field.
Example Filter: task.name NOT LIKE "%Maintenance%" AND task.name NOT LIKE "%ScheduledTask%"
Scenario: Database backup using Oracle Data Pump
Filter/Exclusion: Exclude processes related to expdp or impdp using the process.name field.
Example Filter: process.name != "expdp" AND process.name != "impdp"
Scenario: Log file rotation using logrotate utility (Linux)
Filter/Exclusion: Exclude processes related to logrotate using the process.name field.
Example Filter: process.name != "logrotate"
Scenario: Admin task for device enumeration using PowerShell
Filter/Exclusion: Exclude PowerShell scripts with Get-WmiObject or Get-CimInstance related to device discovery.
Example Filter: process.name != "powershell.exe" OR (process.name == "powershell.exe" AND script.name NOT LIKE "%Get-WmiObject%")