Compressed file KQL for endpoint

Copper Contributor

Hi,

 

Based on my understanding of AlertEvidence schema for KQL, there are columns for filename and folderpath. However, my query results in empty filename and folderpath. I am wondering could it be because the files that are detected with virus are zip or rar files and so KQL does not return any values for filename and folderpath? Can someone enlighten me on this?

thank you in advanced!

 

0 Replies