Forum Discussion

syedmehdi's avatar
syedmehdi
Copper Contributor
Jul 30, 2024

KQL Query for Defender for Endpoint to Hunt Users who download any new software.

Hello Everyone,

 

Anyone could help me to build a KQL query in which I can hunt users who download any new software in my company environment. see below is a query which i build but this query results me all logs including system logs, I just want to see only new downloaded files software logs.

// Define the time range for the query
let startTime = ago(7d);
let endTime = now();

// Filter DeviceFileEvents for downloaded executable files (e.g., .exe, .msi)
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".msi" or FileName endswith ".msix" or FileName endswith ".dmg"
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceId, Timestamp, ReportId, DeviceName, InitiatingProcessAccountName, FileName, FolderPath
| project DeviceId, Timestamp = LastSeen, ReportId, DeviceName, User = InitiatingProcessAccountName, FileName, FolderPath, Count, FirstSeen, LastSeen
| order by LastSeen desc"

 

No RepliesBe the first to reply

Resources