Query Details
MDE Controlled Folder Access
Query
name : MDE Controlled Folder Access
source : https://github.com/LearningKijo/KQL/blob/main/KQL-Effective-Use/04-kql-MDE-ControlledFolderAccess.md
query: |
//Controlled Folder Access - Block
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType contains "ControlledFolderAccessViolationBlocked"
| summarize TargetFolderPath = make_list(strcat(FolderPath, " | ", InitiatingProcessFileName)) by bin(Timestamp, 1d), DeviceId, DeviceName
| extend Num = array_length(TargetFolderPath)
| project Timestamp, DeviceId, DeviceName, Num, TargetFolderPath
//Controlled Folder Access - Audit
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType contains "ControlledFolderAccessViolationAudit"
| summarize TargetFolderPath = make_list(strcat(FolderPath, " | ", InitiatingProcessFileName)) by bin(Timestamp, 1d), DeviceId, DeviceName
| extend Num = array_length(TargetFolderPath)
| project Timestamp, DeviceId, DeviceName, Num, TargetFolderPath
Explanation
The query retrieves information about Controlled Folder Access events from the DeviceEvents table. It filters events that occurred within the last 7 days and separates them into two categories: "Block" and "Audit".
For the "Block" category, it summarizes the data by grouping it by the timestamp, device ID, and device name. It also creates a list of the target folder path and the initiating process file name. The query then calculates the number of items in the list and projects the timestamp, device ID, device name, number of items, and the target folder path.
For the "Audit" category, it follows the same process as the "Block" category.
The query provides insights into Controlled Folder Access events, including the number of violations blocked or audited, the timestamp, device information, and the target folder path.
Details
Kijo Girardi
Released: March 29, 2023
Tables
Keywords
Operators