Query Details
MDE File Enrichment On Suspicious File
Query
# File Enrichment on Suspicious File
----
### Defender For Endpoint
```
let SuspiciousDownloadName = 'GoogleUpdateSetup.exe';
DeviceFileEvents
| where FileName == SuspiciousDownloadName
| summarize
arg_max(Timestamp, *),
DeviceList = make_set(DeviceName),
FileLocations = make_set(FolderPath)
by SHA1
// Add file details, for more details see: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-fileprofile-function?view=o365-worldwide
| invoke FileProfile(SHA1, 1000)
| project-reorder
Timestamp,
SHA1,
// GlobalPrevalence = Number of instances of the entity observed by Microsoft globally. The more instances, the more likely it is benign.
GlobalPrevalence,
GlobalFirstSeen,
Signer,
ThreatName,
DeviceList,
FileLocations
```
This query is not available in Sentinel, since FileProfile() is not supported.
Explanation
The query is searching for a specific suspicious file named "GoogleUpdateSetup.exe" in the Defender for Endpoint logs. It retrieves the latest information about the file, including the SHA1 hash, the devices it was found on, and the folders it was located in. It then tries to enrich the information by using the FileProfile function to get additional details about the file, such as its global prevalence, first seen date, signer, and threat name. However, this query cannot be used in Sentinel because the FileProfile function is not supported.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
DeviceFileEvents
Keywords
Devices,DefenderForEndpoint
Operators
arg_maxmake_setwheresummarizebyinvokeproject-reorderproject