Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender FileCreated Events - Are they a sample subset or should it log every FileCreated Event?

Copper Contributor

I have an instance I am investigating where I suspect I am not seeing all of the file created events.

I know a user copied several folders to USB. I can see it in the defender threat hunting query results for FileCreated events under the users name.  But I am suspicious that defender isn't showing me a comprehensive list.   

When I compare the list that Defender is showing me it only appears to be ab half of the files in the original folders.

Can anyone confirm if FileCreated in defender threat hunting should be a comprehensive list? or is it just a subset sample of the full events?

 

1 Reply

So I tested my Theory by doing a transfer of files to USB on my own computer with a known list of files. I transferred 94 files... Defender only reports approx. 70 of them in the query results. so Defender is 100% not providing a complete list. The question now is why not?

I did notice a trend in the files not reported. Almost as if there is some hidden setting in Defender that states it should only log the events for certain file types.

For example
- All xlsx, log, evtx, jpg and mp4 files in my copy where not reported.
- png, pdf, docx, tgz, zip, eml and csv files where reported