I am looking for documentation on how to build a Advanced Hunting query in Microsoft Defender for Endpoint where I can use the "File paths" in the KQL query.
The field is in the Software Inventory under devices and in the section Software Evidence See below screen dump:
You are looking for one of the pages under the Data Tables schema .
My first guess would have been DeviceTvmSoftwareInventory, however that does not seem to include the path.
There are other tables which contain path: DeviceFileEvents and DeviceImageLoadEvents could be the ones you are looking for, depending on the use case you are trying. The following queries could be a good start.
DeviceFileEvents
| where FolderPath contains "part\\of\\your\\path\\comes\\here"
or
DeviceImageLoadEvents
| where FolderPath == "your\\full\\path\\comes\\here"
If you have the full path of every software you are looking for, you can also use FolderPath == the escaped(double \\
in the path).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.