Forum Discussion
BCSecA
May 04, 2023Copper Contributor
Find the file creation time/date in Microsoft 365 Defender Alerts for blocked software
In the portal it tells you the SHA1 hash and the path of the file(s) in question but does not indicate when the file was created. This file in particular was found during a routine scan and I would like to know when the file was created for creating a timeline for hunting.
Any assistance on this would be appreciated.
- mgrusinCopper Contributor
Thirded (or fourthed?) The malicious file creation date/time is INCREDIBLY important to determine how it got on your system, and not providing this information is a baffling decision. If anyone in authority reads this please present/provide this information to the user!
- danghoang95Copper Contributor
Click on the file you want to find timeline, click on the [...] button and select Go hunt
then change the time stamp period as you want and click Run query
- BCSecACopper ContributorThat is all well and good if you know roughly when the file was created but in a situation where something has been sitting dormant for a while it could outlive the log retention.
- DPeerCopper Contributor
I too would like an answer to this really old post. Once the file is quarantined, it seems there is no way to get file creation date to establish a timeline, which would be extremely helpful.
- jbmartin6Iron ContributorI like to say 'security vendors don't know how security works' and here is another example. it is ridiculous that a tool like this doesn't log MAC times when quarantining a file. Lots of other tools in the same space have the same failure.