Forum Discussion

mattolan_P9's avatar
mattolan_P9
Copper Contributor
Jul 20, 2023

Defender FileCreated Events - Are they a sample subset or should it log every FileCreated Event?

I have an instance I am investigating where I suspect I am not seeing all of the file created events.

I know a user copied several folders to USB. I can see it in the defender threat hunting query results for FileCreated events under the users name.  But I am suspicious that defender isn't showing me a comprehensive list.   

When I compare the list that Defender is showing me it only appears to be ab half of the files in the original folders.

Can anyone confirm if FileCreated in defender threat hunting should be a comprehensive list? or is it just a subset sample of the full events?

 

  • mattolan_P9's avatar
    mattolan_P9
    Copper Contributor

    So I tested my Theory by doing a transfer of files to USB on my own computer with a known list of files. I transferred 94 files... Defender only reports approx. 70 of them in the query results. so Defender is 100% not providing a complete list. The question now is why not?

    I did notice a trend in the files not reported. Almost as if there is some hidden setting in Defender that states it should only log the events for certain file types.

    For example
    - All xlsx, log, evtx, jpg and mp4 files in my copy where not reported.
    - png, pdf, docx, tgz, zip, eml and csv files where reported

Resources