How to check if GoToMeeting\Zoom or Webex have been used to make any calls so you can remove them if needed ( via Defender KQL Logs ) Advanced Hunting

DeviceProcessEvents
| where Timestamp > ago(30d)
| extend
    FN = tolower(FileName),
    Cmd = tolower(ProcessCommandLine),
    ParentFN = tolower(InitiatingProcessFileName),
    ParentCmd = tolower(InitiatingProcessCommandLine),
    MelbourneTime = Timestamp + 11h
| where
    (FN in ("cpthost.exe","aomhost64.exe")
        and ParentFN == "zoom.exe"
        and ParentCmd has "--action=join"
        and not(ParentCmd has "--action=reconnect")
        and not(ParentCmd has "--action=preload"))
    or (FN == "zoom.exe"
        and Cmd has "zoommtg://"
        and Cmd has "join"
        and not(Cmd has "--action=reconnect")
        and not(Cmd has "--action=preload"))
    or (FN == "wmlhost.exe")
| extend
    App = case(
        FN == "wmlhost.exe", "Webex",
        "Zoom"
    )
| extend
    EffectiveUser = iff(
        AccountName =~ "system" and isnotempty(InitiatingProcessAccountName),
        InitiatingProcessAccountName,
        AccountName
    )
| summarize
    FirstSeen = min(MelbourneTime),
    LastSeen = max(MelbourneTime),
    EventCount = count(),
    ProcessesSeen = make_set(FileName, 10)
    by App, DeviceName, EffectiveUser, bin(MelbourneTime, 1h)
| order by FirstSeen desc
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely