Forum Discussion
raj871280
Mar 16, 2022Copper Contributor
How to find File Origin Info through M365 Defender
Hi Team,
Is there a way how one can find the information around file origin through advanced hunting queries if the file was deployed on endpoint 2 years back and hasn't been modified since then ?
Regards
Raj
Hi raj871280 ,
The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide&WT.mc_id=M365-MVP-4024516)
Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.Typical query would like this (please test)
DeviceFileEvents | summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp | where totalTransaction = 1
Cheers,
Riwut
1 Reply
Sort By
Hi raj871280 ,
The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide&WT.mc_id=M365-MVP-4024516)
Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.Typical query would like this (please test)
DeviceFileEvents | summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp | where totalTransaction = 1
Cheers,
Riwut