我编写了一个查询来监视 USB 何时从网络上的计算机插入或拔出。我想将其构建为如果我将设备序列号放入列表中则不会发出警报。
DeviceEvents
| where ActionType == "UsbDriveMounted" or ActionType == "UsbDriveUnmounted"
| join kind=inner DeviceInfo on $left.DeviceId == $right.DeviceId
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SerialNumber
| sort by Timestamp desc
这是查询,它可以减去序列号。一旦我将该字段放入其中,它就不再评估。 我在这篇文章中看到它是受支持的领域。
但在那篇文章中,UsbDriveMounted 事件是 UsbDriveMount,稍后在这篇文章中,他们讨论了高级狩猎架构的更新。
有什么方法可以让这个查询给我 USB 设备的序列号吗?
我输入 SerialNumber 字段并期望它向表中添加一列来提供该信息,但它失败并给出错误消息:
Semantic error
Error message
'project' operator: Failed to resolve scalar expression named 'SerialNumber'
How to resolve
Fix semantic errors in your query
必须添加“附加字段”列。
DeviceEvents
| where ActionType == "UsbDriveMounted" or ActionType == "UsbDriveUnmounted"
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter), SerialNumber = tostring(todynamic(AdditionalFields).SerialNumber), Manufacturer = tostring(todynamic(AdditionalFields).Manufacturer)
| sort by Timestamp desc