Files With Passwords
Query
DeviceFileEvents
| where FileName contains "password"
| where FileName endswith ".doc"
or FileName endswith ".docx"
or FileName endswith ".xls"
or FileName endswith ".xlsx"
or FileName endswith ".txt"
// --- add exclusions here ---//
| distinct DeviceName, InitiatingProcessAccountUpn, FileName, FolderPathExplanation
This query retrieves device file events where the file name contains "password" and ends with either ".doc", ".docx", ".xls", ".xlsx", or ".txt". It then selects distinct values for device name, initiating process account UPN, file name, and folder path.
Details

C.J. May
Released: January 3, 2022
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFileNamePasswordDocDocxXlsXlsxTxtDeviceNameInitiatingProcessAccountUpnFolderPath
Operators
wherecontainsendswithordistinct