You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Find all the processes a file has created and the associated FileNames, FileLocations and SHA1 hashes that the file has had.
Defender XDR
// For the best results use SHA1letMaliciousFileSHA1 = "e14f7ed43ab3ae9d31680eb74b043339eb6f87e7"; // Random generated SHA1 hash 9d833c959de5dd22d778c697cd0de8189c238b2eletMaliciousFileName = "maliciousfilename.exe";
letSearchWindow = 48h; //Customizable h = hours, d = days
letFileInfoLocation = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName) == tolower(MaliciousFileName)))
| summarize FileLocations = make_set(tolower(FolderPath)));
letFileInfoFileName = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName) == tolower(MaliciousFileName)))
| summarize Filenames = make_set(tolower(FileName)));
letFileInfoFileSHA1 = materialize (
DeviceFileEvents
| where Timestamp > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName) == tolower(MaliciousFileName)))
| summarize FileInfoFileSHA1 = make_set(SHA1));
(union isfuzzy=true
(FileInfoFileName), // Forensic information in set format available after last raw event
(FileInfoLocation), // Forensic information in set format available after last raw event
(FileInfoFileSHA1), // Forensic information in set format available after last raw event
(DeviceProcessEvents
| wheretolower(InitiatingProcessCommandLine) has_any (FileInfoLocation) or InitiatingProcessSHA1 == MaliciousFileSHA1)
| sortby Timestamp
| project-reorder
Filenames,
FileLocations,
FileInfoFileSHA1,
Timestamp,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
)
Sentinel
// For the best results use SHA1letMaliciousFileSHA1 = "e14f7ed43ab3ae9d31680eb74b043339eb6f87e7"; // Random generated SHA1 hash 9d833c959de5dd22d778c697cd0de8189c238b2eletMaliciousFileName = "maliciousfilename.exe";
letSearchWindow = 48h; //Customizable h = hours, d = days
letFileInfoLocation = materialize (
DeviceFileEvents
| where TimeGenerated > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName) == tolower(MaliciousFileName)))
| summarize FileLocations = make_set(tolower(FolderPath)));
letFileInfoFileName = materialize (
DeviceFileEvents
| where TimeGenerated > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 ==
MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName)
== tolower(MaliciousFileName)))
| summarize Filenames = make_set(tolower(FileName)));
letFileInfoFileSHA1 = materialize (
DeviceFileEvents
| where TimeGenerated > ago(SearchWindow)
| where ((not(isempty(MaliciousFileSHA1)) and SHA1 == MaliciousFileSHA1) or (isempty(MaliciousFileSHA1) andtolower(FileName) == tolower(MaliciousFileName)))
| summarize FileInfoFileSHA1 = make_set(SHA1));
(union isfuzzy=true
(FileInfoFileName), // Forensic information in set format available after last raw event
(FileInfoLocation), // Forensic information in set format available after last raw event
(FileInfoFileSHA1), // Forensic information in set format available after last raw event
(DeviceProcessEvents
| wheretolower(InitiatingProcessCommandLine) has_any (FileInfoLocation) or InitiatingProcessSHA1 == MaliciousFileSHA1)
| sortby TimeGenerated
| project-reorder
Filenames,
FileLocations,
FileInfoFileSHA1,
TimeGenerated,
DeviceName,
ActionType,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
)