Forum Discussion
Defender FileCreated Events - Are they a sample subset or should it log every FileCreated Event?
I have an instance I am investigating where I suspect I am not seeing all of the file created events. I know a user copied several folders to USB. I can see it in the defender threat hunting query r...
So I tested my Theory by doing a transfer of files to USB on my own computer with a known list of files. I transferred 94 files... Defender only reports approx. 70 of them in the query results. so Defender is 100% not providing a complete list. The question now is why not?
I did notice a trend in the files not reported. Almost as if there is some hidden setting in Defender that states it should only log the events for certain file types.
For example
- All xlsx, log, evtx, jpg and mp4 files in my copy where not reported.
- png, pdf, docx, tgz, zip, eml and csv files where reported