stackoom
  简体   繁体   中英

Query File paths field from Microsoft Defender

 原文  2021-12-20 15:15:34       microsoft365-defender

Question

I am looking for documentation on how to build a Advanced Hunting query in Microsoft Defender for Endpoint where I can use the "File paths" in the KQL query.

The field is in the Software Inventory under devices and in the section Software Evidence See below screen dump:

enter image description here

1 answers

solution1
 0  2021-12-22 22:39:39

You are looking for one of the pages under the Data Tables schema .

My first guess would have been DeviceTvmSoftwareInventory, however that does not seem to include the path.

There are other tables which contain path: DeviceFileEvents and DeviceImageLoadEvents could be the ones you are looking for, depending on the use case you are trying. The following queries could be a good start.

DeviceFileEvents
| where FolderPath contains "part\\of\\your\\path\\comes\\here"

or

DeviceImageLoadEvents
| where FolderPath == "your\\full\\path\\comes\\here"

If you have the full path of every software you are looking for, you can also use FolderPath == the escaped(double \\ in the path).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Microsoft Defender (Advanced Hunting) : Detecting File copying Kusto Query Language - Microsoft Defender IP Subnet Query Azure NSG rule to allow VM to access MS 365 Defender Prevent mdatp (Microsoft Defender Advanced Threat Protection) for linux to move malicious files to the quarantine Which scope use to get the access token for Microsoft credential PS Script to uninstall Firefox from multiple locations
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM