Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to find File Origin Info through M365 Defender

Copper Contributor

Hi Team,

 

Is there a way how one can find the information around file origin through advanced hunting queries if the file was deployed on endpoint 2 years back and hasn't been modified since then ?

 

Regards

Raj

1 Reply
best response confirmed by raj871280 (Copper Contributor)
Solution

Hi @raj871280 ,

 

The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?v...)

 

Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.

 

Typical query would like this (please test)

DeviceFileEvents
| summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp
| where totalTransaction = 1

 

Cheers,

 

Riwut

 

1 best response

Accepted Solutions
best response confirmed by raj871280 (Copper Contributor)
Solution

Hi @raj871280 ,

 

The DeviceFileEvents contains Timestamp , which record the Date and time when the event was recorded. Additionally the ActionType will provide us information based on FileCreated, FileDeleted, FileModified or FileRenamed. (More here https://docs.microsoft.com/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?v...)

 

Based on that understanding, we can do following steps:
1. query DeviceFileEvents group by FileName, Timestamp => unmodified file, will only have 1 record
2. filter the record having only 1 count.

 

Typical query would like this (please test)

DeviceFileEvents
| summarize totalTransaction=count() by FileName,FileOritinUrl, Timestamp
| where totalTransaction = 1

 

Cheers,

 

Riwut

 

View solution in original post