Forum Discussion

rstanile's avatar
rstanile
Copper Contributor
Mar 12, 2026

Why there is no Signature status for the new process in the DeviceProcessEvent table?

According to the schema, there is only field for checking the initiating (parent) process digital signature, named InitiatingProcessSignatureStatus. So we have information if the process that initiat...
investigation
microsoft defender for endpoint
threat hunting
rstanile's avatar
rstanile
Copper Contributor
Mar 13, 2026

Thank you. 

when I tried to match the data, I stumbled upon a problem - the binaries for IntiatingProcess (parent) reported with Signature Status of "Unsigned", when matched by file path and SHA1 to the DeviceFileCertificateInfo seem to be properly signed... Maybe my KQL logic is wrong. 
Please post your solution. 

DeviceProcessEvents 
| where InitiatingProcessSignatureStatus == "Unsigned"
| summarize by ParentFile=tolower(InitiatingProcessFolderPath),  InitiatingProcessSignatureStatus, InitiatingProcessSignerType, InitiatingProcessSHA1
| join DeviceFileCertificateInfo on $left.InitiatingProcessSHA1 == $right.SHA1
| project Filename=ParentFile, IsReportedSigned=InitiatingProcessSignatureStatus, SHA1, IsSigned, Signer

 

Marcel_Graewer's avatar
Marcel_Graewer
Brass Contributor
Apr 04, 2026

give this a try:

DeviceProcessEvents
| where InitiatingProcessSignatureStatus == "Unsigned"
| project
    ParentFile = tolower(InitiatingProcessFolderPath),
    InitiatingProcessSignatureStatus,
    InitiatingProcessSignerType,
    InitiatingProcessSHA1
| join kind=leftouter (
    DeviceFileCertificateInfo
    | project SHA1, IsSigned, IsTrusted, Signer, SignatureType
) on $left.InitiatingProcessSHA1 == $right.SHA1
| project
    Filename = ParentFile,
    ReportedByKernel = InitiatingProcessSignatureStatus,
    SignerType = InitiatingProcessSignerType,
    IsSigned,
    IsTrusted,
    Signer,
    SignatureType

Your original query used a plain join without specifying the join kind. In KQL, the default is innerunique, which drops all rows from the left side that have no match in DeviceFileCertificateInfo. That means any process with no certificate verification record gets silently discarded - exactly the binaries you want to investigate. Changing to kind=leftouter keeps all rows and only enriches those where a cert record exists.