KQL Search

Query Details

HomeAI ToolsDevice Query

File From Host Collected

Query

# 'File From Host Collected via Portal or Live Response

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1005 | Data from Local System | https://attack.mitre.org/techniques/T1005/ |

### Description
This query lists all the file downloads from an onboarded EDR device. The query lists the two file collection methods:
1. LiveResponseGetFile: Files collected through the *getfile* command in Live Response
2: DownloadFile: Files collected though the XDR portal by using the download file feature.

### References
- https://kqlquery.com/posts/audit-defender-xdr/
- https://learn.microsoft.com/en-us/defender-endpoint/investigate-files
- https://learn.microsoft.com/en-us/defender-endpoint/live-response-command-examples#getfile

## Defender XDR
```KQL
CloudAppEvents
| where ActionType in ('LiveResponseGetFile', 'DownloadFile')
| extend FileName = tostring(RawEventData.FileName), FileSHA256 = tostring(RawEventData.FileSHA256), FileSize = tostring(RawEventData.FileSize)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder Timestamp, InitiatedByAccountName, InitiatedByAccounttId, IPAddress, FileName, FileSHA256, FileSize
```

## Sentinel
```KQL
CloudAppEvents
| where ActionType in ('LiveResponseGetFile', 'DownloadFile')
| extend FileName = tostring(RawEventData.FileName), FileSHA256 = tostring(RawEventData.FileSHA256), FileSize = tostring(RawEventData.FileSize)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
| project-reorder TimeGenerated, InitiatedByAccountName, InitiatedByAccounttId, IPAddress, FileName, FileSHA256, FileSize
```

Explanation

This query is designed to identify and list all file downloads from devices that are monitored by an Endpoint Detection and Response (EDR) system. It focuses on two specific methods of file collection:

  1. LiveResponseGetFile: This method involves collecting files using the getfile command within a Live Response session.
  2. DownloadFile: This method involves collecting files through the XDR (Extended Detection and Response) portal using the download file feature.

The query is applicable to both Defender XDR and Sentinel environments, with slight differences in the field names used for timestamps.

Key Points:

  • The query filters events where the action type is either 'LiveResponseGetFile' or 'DownloadFile'.
  • It extracts and renames relevant information such as the file name, file hash (SHA256), and file size.
  • It also captures details about the user who initiated the file download, including their account name and ID.
  • The results are organized to display the timestamp, user information, IP address, and file details in a specific order.

This query helps in auditing and investigating file download activities, which can be crucial for identifying potential security incidents or unauthorized data access.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 24, 2025

Tables

CloudAppEvents

Keywords

CloudAppEventsFileNameFileSHA256FileSizeAccountDisplayNameAccountIdIPAddressTimestampTimeGenerated

Operators

whereinextendtostringproject-renameproject-reorder

Actions