DeviceFileCertificateInfo table

%3CLINGO-SUB%20id%3D%22lingo-sub-1506983%22%20slang%3D%22fr-FR%22%3EDeviceFileCertificateInfo%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506983%22%20slang%3D%22fr-FR%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20play%20around%20with%20file%20reputation%20under%20MDATP%20Advanced%20hunting.%26nbsp%3B%20The%20only%20place%20where%20I%20can%20find%20file%20information%20like%20this%20seems%20to%20be%20only%20under%20the%20%3CSPAN%3E%20DeviceFileCertificateInfo%20table%20(where%20I%20can%20find%20IsSigned%20and%20IsTrusted%20property).%26nbsp%3B%20So%20far%20it's%20not%20that%20bad%2C%20but%20the%20issue%20I%20have%20is%20that%20this%20table%20uses%20data%20obtained%20from%20certificate%20verification%20activities%20regularly%20performed%20on%20files%20on%20endpoints.%20and%20doesn't%20seem%20to%20receive%20all%20the%20validation%20done%20at%20each%20time.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEx.%3A%20I%20execute%20an%20exe%20file%20from%20powershell%20but%20didn't%20see%20the%20executed%20file's%20hash%20in%20the%20DeviceFileCertificateInfo%20table.%26nbsp%3B%20Is%20that%20normal%3F%26nbsp%3B%20Is%20there%20another%20place%20where%20I%20should%20find%20those%20information%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3E%20Thanks%20in%20advanced%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1506983%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3EDeviceFileCertificateInfo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hi All

 

I want to play around with file reputation under MDATP Advanced hunting.  The only place where I can find file information like this seems to be only under the DeviceFileCertificateInfo table (where I can find IsSigned and IsTrusted property).  So far it's not that bad, but the issue I have is that this table uses data obtained from certificate verification activities regularly performed on files on endpoints. and doesn't seems to receive all the validation done at each time.

 

Ex.: I execute a exe file from powershell but didn't see the executed file's hash in the DeviceFileCertificateInfo table.  Is that normal ?  Is there another place where I should find those information ?

Thanks in advanced

0 Replies