Query Details
One Note Weird Location
Query
DeviceFileEvents | where FileName endswith ".one" | where FolderPath !contains "\\AppData\\Local\\Microsoft\\OneNote\\" | where FolderPath !contains "Recycle.bin"
Explanation
This query is looking for device file events where the file name ends with ".one". It then filters out any events where the folder path contains "\AppData\Local\Microsoft\OneNote\" or "Recycle.bin".
Details
C.J. May
Released: May 16, 2023
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,FileName,FolderPath,AppData,Local,Microsoft,OneNote,Recycle,bin
Operators
|endswith!contains