Forum Discussion
syedmehdi
Jul 30, 2024Copper Contributor
KQL Query for Defender for Endpoint to Hunt Users who download any new software.
Hello Everyone,
Anyone could help me to build a KQL query in which I can hunt users who download any new software in my company environment. see below is a query which i build but this query results me all logs including system logs, I just want to see only new downloaded files software logs.
"
// Define the time range for the query
let startTime = ago(7d);
let endTime = now();
// Filter DeviceFileEvents for downloaded executable files (e.g., .exe, .msi)
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".msi" or FileName endswith ".msix" or FileName endswith ".dmg"
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceId, Timestamp, ReportId, DeviceName, InitiatingProcessAccountName, FileName, FolderPath
| project DeviceId, Timestamp = LastSeen, ReportId, DeviceName, User = InitiatingProcessAccountName, FileName, FolderPath, Count, FirstSeen, LastSeen
| order by LastSeen desc"
No RepliesBe the first to reply