Query Details
Detection Response By Tracing File Lineage
Query
**Detection Response by tracing File Lineage**
**Description:** This query groups all files by their originating file—such as a ZIP archive or from a Website—and includes all the files that were extracted from it.
Among the benefits of Correlating File Events Using **InitiatingProcessUniqueId** field we can identify:
- Provides full visibility into all files related to a single action (e.g., ZIP extraction).
- Helps detect hidden or secondary malicious files that may not trigger alerts.
- Traces the origin of files—whether downloaded or extracted from another source.
- Strengthens root cause analysis and incident investigation.
- Enhances detection of multi-stage payloads or complex delivery methods.
- Reduces the risk of overlooking related threats during response.
- Builds context around suspicious activity for better decision-making.
- Improves threat hunting efficiency by revealing attack chains clearly.
```
DeviceFileEvents
| extend FileOriginReferrerUrl_ext = extract(@"[^\\]+$", 0, FileOriginReferrerUrl)
| where isnotempty( FileOriginReferrerUrl)
| join kind=inner ( DeviceEvents) on $left.InitiatingProcessUniqueId == $right.InitiatingProcessUniqueId
| extend FileExtension = extract(@"\.([a-zA-Z0-9]+)$", 1, FileName)
| extend Source_Type = case(FileOriginReferrerUrl startswith "https://", "🌎 Web","📂 File")
| summarize total_Files= dcount(FileName), Files_after_execution= strcat("🗂️ ",make_set(FileName)),make_set(FileExtension),make_set(ActionType),make_set(FolderPath),SHA256_Group=make_set(SHA2561) by InitiatingProcessUniqueId,AccountUpn = strcat("👩🏻💻🧑🏾💻",InitiatingProcessAccountUpn), Device = strcat("💻 ",DeviceName), FileOriginReferrerUrl,Source_Type, OriginalFile=strcat("🚩 ",FileOriginReferrerUrl_ext)
```
Explanation
This query is designed to track the lineage of files on a device by grouping them based on their originating source, such as a ZIP archive or a website. Here's a simplified breakdown of what the query does:
-
File Grouping by Origin: The query organizes files based on their source, like a ZIP file or a website, and includes all files extracted from these sources.
-
Visibility and Detection: By correlating file events using the
InitiatingProcessUniqueId, the query provides comprehensive visibility into all files associated with a single action (e.g., extracting a ZIP file). This helps in detecting hidden or secondary malicious files that might not trigger immediate alerts. -
Tracing File Origins: It traces where files came from, whether they were downloaded from the internet or extracted from another file, aiding in root cause analysis and incident investigation.
-
Enhanced Threat Detection: The query improves the detection of complex threats, such as multi-stage payloads, by revealing the entire attack chain. This reduces the risk of missing related threats during a response.
-
Context Building: By building context around suspicious activities, it aids in better decision-making and improves threat hunting efficiency.
-
Query Mechanics:
- It extracts the file origin URL and checks if it's not empty.
- Joins file events with device events using the
InitiatingProcessUniqueId. - Extracts file extensions and determines the source type (web or file).
- Summarizes data by counting unique files, listing files executed, and grouping by various attributes like file extensions, action types, folder paths, and SHA256 hashes.
- Provides a summary view with details like the account involved, device name, file origin URL, and source type.
In essence, this query helps security analysts trace and analyze the origin and impact of files on a device, enhancing their ability to detect and respond to potential threats.
Details
Sergio Albea
Released: April 21, 2025
Tables
Keywords
Operators