Query Details
URL Download Source Finder
Query
//This query identifies the source URL for downloaded files //Tracks Mark of the Web (MOTW) written events DeviceNetworkEvents | where EventSimpleName == "MotwWritten" | project ComputerName, FileName, HostUrl, ReferrerUrl
Explanation
This query is designed to track events related to the "Mark of the Web" (MOTW), which is a security feature in Windows that flags files downloaded from the internet. Specifically, the query looks for events where a MOTW has been written to a file. It retrieves and displays the following information for each event:
- ComputerName: The name of the computer where the event occurred.
- FileName: The name of the file that had the MOTW written to it.
- HostUrl: The URL of the source from which the file was downloaded.
- ReferrerUrl: The URL of the page that referred the download.
In summary, this query helps identify the origin of downloaded files by tracking when and where a MOTW is applied.
Details
User Submission
Released: November 10, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
==|whereproject