This week's Query of the Week uses Sysmon logs to see when applications access the microphone, then displays a table for each.

tag=sysmon winlog Provider=="Microsoft-Windows-Sysmon" EventID==13 TargetObject RuleName~"Audio Capture" Computer TimeCreated Details
| sort by time asc
| regex -e Details "\((?P<qword>.+)\)" qword != "0x00000000-0x00000000"
| regex -e TargetObject "#(?P<appname>[^#]+)\\LastUsedTime(?P<mic_action>\S+)"
| diff TIMESTAMP by Computer appname
| eval mic_action=="Stop"
| stats count as Count sum(diff) as TotalTime by Computer appname
| table Computer TotalTime Count

Example table that could result from the query:

Visit gravwell.io/query to view an archive of our previous Query of the Week posts.