Forum Discussion
Can Defender for Endppoint alert on the download of any executable from the Internet?
Looking to if this is even possible from Defender for Endpoint alert on the download of any executable from the Internet?
Thanks in advance
1 Reply
1. DeviceFileEvents Table
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
2. Create Custom Alert
example query
DeviceFileEvents| where ingestion_time() > ago(7d)| where ActionType == "FileCreated"->
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#create-a-custom-detection-rule
