This KQL query grabs defined RMM binaries within the Splunk Security Content project and matches them against MDE telemetry.
See also the original blog post here.
// Define the regex constructor function which transforms an array of patterns into regex.
let regexConstructor = (arr:dynamic) { replace_string( replace_string(replace_string( strcat('((?i)', strcat_array( arr,'|') ,')'), @'\',@'\\'), @'/',@'\/'), @'*', @'.*') };
// ----------------------------------------------------------------
// Download the CSV.
let RMMs = externaldata(description:string,remote_domain:string,remote_utility:string,remote_utility_fileinfo:string,remote_appid:string,isutility:string,category:string,comment_reference:string,last_update:string) [ @'https://raw.githubusercontent.com/splunk/security_content/develop/lookups/remote_access_software20240726.csv'] with (format="csv",ignoreFirstRecord=true);
// ----------------------------------------------------------------
// Create a list of defined binaries.
let RMMBins = RMMs | distinct tostring(remote_utility) | where isnotempty(remote_utility) | summarize make_set(remote_utility);
let RMMBinsFiltered = RMMs | distinct tostring(remote_utility) | where isnotempty(remote_utility) | where remote_utility contains "*" | summarize make_set(remote_utility);
// ----------------------------------------------------------------
// Create a regex pattern out of the defined binaries.
let RMMBinsRegex = regexConstructor(toscalar(RMMBinsFiltered));
// ----------------------------------------------------------------
// Start matching these binaries within your process telemetry.
DeviceProcessEvents
| where FolderPath matches regex RMMBinsRegex or FolderPath has_any(RMMBins)
| summarize Devices = make_set(DeviceName),
NrOfDevices = dcount(DeviceName) by FolderPath