KQL Search

Query Details

Files With Passwords

Query

DeviceFileEvents
| where FileName contains "password"
| where FileName endswith ".doc"
     or FileName endswith ".docx"
     or FileName endswith ".xls"
     or FileName endswith ".xlsx"
     or FileName endswith ".txt"
// --- add exclusions here ---//
| distinct DeviceName, InitiatingProcessAccountUpn, FileName, FolderPath

Explanation

This query retrieves device file events where the file name contains "password" and ends with either ".doc", ".docx", ".xls", ".xlsx", or ".txt". It then selects distinct values for device name, initiating process account UPN, file name, and folder path.

Details

C.J. May

Released: January 3, 2022

Tables

DeviceFileEvents

Keywords

DeviceFileEvents,FileName,Password,Doc,Docx,Xls,Xlsx,Txt,DeviceName,InitiatingProcessAccountUpn,FolderPath

Operators

wherecontainsendswithordistinct

KQL Search

Files With Passwords

Query

Explanation

Details

Actions