Forum Discussion

BCSecA's avatar
BCSecA
Copper Contributor
May 04, 2023

Find the file creation time/date in Microsoft 365 Defender Alerts for blocked software

In the portal it tells you the SHA1 hash and the path of the file(s) in question but does not indicate when the file was created. This file in particular was found during a routine scan and I would like to know when the file was created for creating a timeline for hunting. 

 

Any assistance on this would be appreciated.

 

  • mgrusin's avatar
    mgrusin
    Copper Contributor

    Thirded (or fourthed?) The malicious file creation date/time is INCREDIBLY important to determine how it got on your system, and not providing this information is a baffling decision. If anyone in authority reads this please present/provide this information to the user!

  • danghoang95's avatar
    danghoang95
    Copper Contributor

    Click on the file you want to find timeline, click on the [...] button and select Go hunt

    then change the time stamp period as you want and click Run query

     

     

    • BCSecA's avatar
      BCSecA
      Copper Contributor
      That is all well and good if you know roughly when the file was created but in a situation where something has been sitting dormant for a while it could outlive the log retention.
  • DPeer's avatar
    DPeer
    Copper Contributor

    I too would like an answer to this really old post.  Once the file is quarantined, it seems there is no way to get file creation date to establish a timeline, which would be extremely helpful.

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      I like to say 'security vendors don't know how security works' and here is another example. it is ridiculous that a tool like this doesn't log MAC times when quarantining a file. Lots of other tools in the same space have the same failure.

Resources