Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defender Advanced Hunt query error #11235

Open
kseyoss opened this issue Oct 8, 2024 · 3 comments
Open

Defender Advanced Hunt query error #11235

kseyoss opened this issue Oct 8, 2024 · 3 comments
Assignees
@v-rusraut @v-sudkharat
Labels
Hunting Hunting specialty review needed

Comments

@kseyoss
Copy link

kseyoss commented Oct 8, 2024

It appears the Advanced Hunting queries on the Defender portal are pulled from here. There's an error in the top suggested result... (Shared Queries/Suggested/Microsoft 365 Defender/)

"Downloads" query error:

The line: "or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" or FolderPath !has "profile"))"

Should read: "or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" and FolderPath !has "profile"))"

It doesn't filter as intended with the combination of "or" and !.
@v-rusraut v-rusraut added the Hunting Hunting specialty review needed label Oct 9, 2024
@v-rusraut
Copy link
Contributor

Hi @kseyoss, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@kseyoss
Copy link
Author

kseyoss commented Oct 10, 2024
edited
Loading

Thank you. There's also another error in the Chrome part... "endswith "crdownload" should be "!endswith "crdownload" or it filters out all the Chrome downloads.

It's a useful query. I've rewritten this quite a bit to filter out automated browser updates (etc), and various other "noise". Feel free to use. :)

// Lists all the files downloaded using popular browsers.
DeviceFileEvents
| where FolderPath !has "$Recycle.Bin"
| where
// Edge
InitiatingProcessFolderPath endswith @"windows\system32\browser_broker.exe"
// Internet Explorer x64
or InitiatingProcessFolderPath endswith @"program files\internet explorer\iexplore.exe"
// Internet Explorer x32
or InitiatingProcessFolderPath endswith @"program files (x86)\internet explorer\iexplore.exe"
// Chrome
or (InitiatingProcessFileName =~ "chrome.exe" and FileName !endswith "crdownload" and FolderPath !has "CacheStorage" and FolderPath !has "AppData")
// Firefox
or (InitiatingProcessFileName =~ "firefox.exe" and (FileName !endswith ".js" and FolderPath !has "profiles" and FolderPath !has ".xpi" and FolderPath !has "xml" and FolderPath !has "backgroundupdate" and FolderPath !has "MozillaBackgroundTask" and FolderPath !has "AppData"))
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath

@v-rusraut
Copy link
Contributor

Hi @kseyoss, please provide more details about the issue, including the name of the hunting query for which you are encountering the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

Labels
Hunting Hunting specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kseyoss @v-rusraut @v-sudkharat