Query Details

Live Response File Collection

Query

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "LiveResponseGetFile"
| extend FileName = tostring(parse_json(RawEventData).FileName), FileSHA256 = tostring(parse_json(RawEventData).FileSHA256)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256
| invoke FileProfile(SHA256, 1000)
| project-reorder Timestamp, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId, GlobalPrevalence, SignatureState

About this query

Live Response File Collection

Query Information

Description

This query lists all the Getfile activities that have been executed. This includes listing the SHA256 hash of the collected file (when available).

References

Defender XDR

Sentinel

CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "LiveResponseGetFile"
| extend FileName = tostring(parse_json(RawEventData).FileName), FileSHA256 = tostring(parse_json(RawEventData).FileSHA256)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256
| project-reorder TimeGenerated, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId

Explanation

This query is designed to track and list all "Getfile" activities executed within the last 30 days using Microsoft's Defender XDR and Sentinel platforms. It focuses on identifying files collected through live response actions, providing details such as the file name, SHA256 hash, and the account that initiated the action. Here's a simplified breakdown:

  1. Data Source: The query pulls data from CloudAppEvents, which logs various cloud application activities.

  2. Time Frame: It filters events to include only those that occurred in the past 30 days.

  3. Action Type: It specifically looks for events where the action type is "LiveResponseGetFile", indicating a file was collected during a live response.

  4. Data Extraction:

    • It extracts the file name and SHA256 hash from the raw event data.
    • It renames some fields for clarity, such as the account name and ID of the person who initiated the file collection.
  5. Additional Analysis (Defender XDR only):

    • It uses the FileProfile function to gather additional information about the file, such as its global prevalence and signature state.
  6. Output: The query organizes and displays the results with columns for the timestamp, file name, SHA256 hash, the account name and ID of the initiator, and additional file profile information (for Defender XDR).

In summary, this query helps security analysts monitor and audit file collection activities, providing insights into who collected which files and additional details about those files.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampActionTypeFileNameFileSHA256AccountDisplayNameAccountIdGlobalPrevalenceSignatureStateTimeGenerated

Operators

CloudAppEventswhereagoextendtostringparse_jsonproject-renameinvokeFileProfileproject-reorder

Actions

GitHub