Query Details
Endpoint List For Suspicious Files Device
Query
name : Endpoint - Listing suspicious files on the device
description :
- Case1 - Listing suspicious files on the device
- By using Join operator and AlertEvidence table, it is listing suspicious files for each device
table :
- Alertevidence
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-alertevidence-table?view=o365-worldwide
query: |
//Case1 - Listing suspicious files on the device
let SuspiciousFiles = AlertEvidence
| where ServiceSource == "Microsoft Defender for Endpoint"
| where isnotempty(FileName)
| project AlertId, Categories, AttackTechniques, FileName;
AlertEvidence
| where isnotempty(DeviceId) and isnotempty(DeviceName)
| project-reorder DeviceId, DeviceName, AlertId
| join SuspiciousFiles on AlertId
| project DeviceId, DeviceName, Files= FileName1
| summarize make_list(Files) by DeviceId
Explanation
This query is used to list suspicious files on a device. It uses the AlertEvidence table and the Join operator to gather information about suspicious files for each device. The query filters for files that are flagged as suspicious by Microsoft Defender for Endpoint, and then retrieves the DeviceId, DeviceName, and FileName for each alert. Finally, it summarizes the results by grouping the files by DeviceId.
Details
Kijo Girardi
Released: February 6, 2023
Tables
AlertEvidence
Keywords
Keywords:Endpoint,Listing,Suspiciousfiles,Device,Join,AlertEvidence,ServiceSource,MicrosoftDefenderforEndpoint,isnotempty,FileName,AlertId,Categories,AttackTechniques,DeviceId,DeviceName,project-reorder,Files,summarize,make_list.
Operators
toscalar()arg_max()count()mv-expandwhereisnotempty()projectjoinsummarizemake_list()