Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 16, 2023

Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event

Hi,   Following the Friday 13th event with Defender ASR block and removing of shortcut links. Has anyone been able to use the Defender Timeline information on assets to report on the shortcut links...
MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 17, 2023

yongrheemsft Tried the AH query but the returned data records is too small. 

 

When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.

MikeP751860's avatar
MikeP751860
Brass Contributor
Jan 17, 2023
I think you might of missed the point. The 'shortcuts' let query is filtered to the timestamp range (2023-01-13 to 2023-01-14) so how can you have a signature of 1.381.2325.0 which was released on the 1/17/2023 11:11:14 AM?
  • yongrheemsft's avatar
    yongrheemsft
    Icon for Microsoft rankMicrosoft
    Jan 17, 2023
    //| where Timestamp >= datetime(2023-01-13) and Timestamp < datetime(2023-01-14), it's commented out since it starts with //

Resources