Query Details
Discord Driveby
Query
Tags: Query: DeviceFileEvents | where isnotempty(FileOriginUrl) | where FileOriginUrl contains "cdn.discordapp.com/attachments/" or FileOriginReferrerUrl contains "cdn.discordapp.com/attachments/" | where FileName contains "pass" References:
Explanation
This query is looking for specific file events on devices. Here's a simple breakdown:
- DeviceFileEvents: It starts by examining events related to files on devices.
- isnotempty(FileOriginUrl): It filters to include only those events where the file's origin URL is not empty.
- FileOriginUrl contains "cdn.discordapp.com/attachments/" or FileOriginReferrerUrl contains "cdn.discordapp.com/attachments/": It further narrows down to events where the file's origin URL or the referrer URL contains the specific string "cdn.discordapp.com/attachments/". This indicates that the file came from or was referred by a Discord attachment link.
- FileName contains "pass": Finally, it filters the results to include only those files whose names contain the word "pass".
In summary, this query is searching for files that originated from Discord attachments and have "pass" in their filenames.
Details
Ali Hussein
Released: October 1, 2023
Tables
DeviceFileEvents
Keywords
DeviceFileEvents
Operators
isnotemptycontainsor