Mar 16 2022 02:31 AM - last edited on Sep 06 2022 09:39 AM by Trevor_Rusher
Mar 16 2022 02:31 AM - last edited on Sep 06 2022 09:39 AM by Trevor_Rusher
Hi Team,
Is there a way how one can find the information around file origin through advanced hunting queries if the file was deployed on endpoint 2 years back and hasn't been modified since then ?
Regards
Raj
Mar 16 2022 06:32 AM
SolutionHi @raj871280 ,
The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?v...)
Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.
Typical query would like this (please test)
DeviceFileEvents
| summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp
| where totalTransaction = 1
Cheers,
Riwut
Mar 16 2022 06:32 AM
SolutionHi @raj871280 ,
The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?v...)
Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.
Typical query would like this (please test)
DeviceFileEvents
| summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp
| where totalTransaction = 1
Cheers,
Riwut