You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears the Advanced Hunting queries on the Defender portal are pulled from here. There's an error in the top suggested result... (Shared Queries/Suggested/Microsoft 365 Defender/)
"Downloads" query error:
The line: "or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" or FolderPath !has "profile"))"
Should read: "or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" and FolderPath !has "profile"))"
It doesn't filter as intended with the combination of "or" and !.
The text was updated successfully, but these errors were encountered:
Thank you. There's also another error in the Chrome part... "endswith "crdownload" should be "!endswith "crdownload" or it filters out all the Chrome downloads.
It's a useful query. I've rewritten this quite a bit to filter out automated browser updates (etc), and various other "noise". Feel free to use. :)
// Lists all the files downloaded using popular browsers.
DeviceFileEvents
| where FolderPath !has "$Recycle.Bin"
| where
// Edge
InitiatingProcessFolderPath endswith @"windows\system32\browser_broker.exe"
// Internet Explorer x64
or InitiatingProcessFolderPath endswith @"program files\internet explorer\iexplore.exe"
// Internet Explorer x32
or InitiatingProcessFolderPath endswith @"program files (x86)\internet explorer\iexplore.exe"
// Chrome
or (InitiatingProcessFileName =~ "chrome.exe" and FileName !endswith "crdownload" and FolderPath !has "CacheStorage" and FolderPath !has "AppData")
// Firefox
or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" and FolderPath !has "profiles" and FolderPath !has ".xpi" and FolderPath !has "xml" and FolderPath !has "backgroundupdate" and FolderPath !has "MozillaBackgroundTask" and FolderPath !has "AppData"))
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath
It appears the Advanced Hunting queries on the Defender portal are pulled from here. There's an error in the top suggested result... (Shared Queries/Suggested/Microsoft 365 Defender/)
"Downloads" query error:
It doesn't filter as intended with the combination of "or" and !.
The text was updated successfully, but these errors were encountered: