Query Details

File Enrichment on Suspicious File

MDE File Enrichment On Suspicious File

Query

let SuspiciousDownloadName = 'GoogleUpdateSetup.exe';
DeviceFileEvents
| where FileName == SuspiciousDownloadName
| summarize
     arg_max(Timestamp, *),
     DeviceList = make_set(DeviceName),
     FileLocations = make_set(FolderPath)
     by SHA1
// Add file details, for more details see: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-fileprofile-function?view=o365-worldwide
| invoke FileProfile(SHA1, 1000)
| project-reorder
     Timestamp,
     SHA1,
     // GlobalPrevalence = Number of instances of the entity observed by Microsoft globally. The more instances, the more likely it is benign.
     GlobalPrevalence,
     GlobalFirstSeen,
     Signer,
     ThreatName,
     DeviceList,
     FileLocations

About this query

File Enrichment on Suspicious File


Defender XDR

This query is not available in Sentinel, since FileProfile() is not supported.

Explanation

This query is designed to investigate a potentially suspicious file named "GoogleUpdateSetup.exe" across devices using Microsoft Defender XDR (Extended Detection and Response). Here's a simple breakdown of what the query does:

  1. Identify Suspicious File: It starts by setting a specific file name, "GoogleUpdateSetup.exe", as the suspicious file to investigate.

  2. Search for File Events: It searches through device file events to find occurrences of this file.

  3. Summarize Data: For each unique file (identified by its SHA1 hash), it collects the most recent event data and compiles a list of devices and file locations where the file was found.

  4. Enrich with File Details: It attempts to add more information about the file using the FileProfile function, which provides details like global prevalence (how common the file is globally), when it was first seen, the signer (who signed the file), and any associated threat names.

  5. Organize Results: Finally, it organizes the results to show the timestamp, SHA1 hash, global prevalence, first seen date, signer, threat name, list of devices, and file locations.

Note: The FileProfile function used for enrichment is not supported in Microsoft Sentinel, which means this specific part of the query won't work in that environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsSHA1TimestampNameFolderPathGlobalPrevalenceFirstSeenSignerThreat

Operators

letwheresummarizearg_maxmake_setbyinvokeproject-reorder

Actions

GitHub