Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
File creation, modification, and other file system events
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileOriginIP | string | IP address where the file was downloaded from. |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. |
| FileOriginUrl | string | URL where the file was downloaded from. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountObjectId | string | Azure AD object ID of the user account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessAccountUpn | string | User principal name (UPN) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
| InitiatingProcessFileSize | long | Size in bytes of the process (image file) that initiated the event. |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId | long | Process ID (PID) of the process that initiated the event. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentId | long | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessRemoteSessionDeviceName | string | Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP | string | IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId | long | Windows session ID of the initiating process. |
| InitiatingProcessSHA1 | string | SHA-1 hash of the process (image file) that initiated the event. |
| InitiatingProcessSHA256 | string | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. |
| InitiatingProcessUniqueId | string | Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices. |
| InitiatingProcessVersionInfoCompanyName | string | Company name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription | string | Description from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName | string | Internal file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName | string | Original file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName | string | Product name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion | string | Product version from the version information of the process (image file) responsible for the event. |
| IsAzureInfoProtectionApplied | bool | Indicates whether the file is encrypted by Azure Information Protection. |
| IsInitiatingProcessRemoteSession | bool | Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
| PreviousFileName | string | Original name of the file that was renamed as a result of the action. |
| PreviousFolderPath | string | Original folder containing the file before the recorded action was applied. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity. |
| RequestAccountName | string | User name of account used to remotely initiate the activity. |
| RequestAccountSid | string | Security Identifier (SID) of the account used to remotely initiate the activity. |
| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS. |
| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity. |
| RequestSourcePort | int | Source port on the remote device that initiated the activity. |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection. |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently. |
| SHA1 | string | SHA-1 hash of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| ShareName | string | Name of shared folder containing the file. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| ASR Bypassing Writing Executable Content | ActionType == "FileRenamed" |
| Hijack Execution Flow - DLL Side-Loading | |
| Ingress Tool Transfer - Certutil |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Terminated employee exfiltration to USB drive |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Files Copied to USB Drives | |
| Potential Build Process Compromise - MDE | ActionType in "FileCreated,FileModified" |
| Rare Process as a Service | |
| Remote File Creation with PsExec | |
| SUNBURST and SUPERNOVA backdoor hashes |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map File Hash to DeviceFileEvents Event |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map File Hash to DeviceFileEvents Event |
In solution Visa Threat Intelligence (VTI):
| Analytic Rule | Selection Criteria |
|---|---|
| VTI - High Severity SHA1 Collision Detection |
In solution Web Shells Threat Protection:
| Analytic Rule | Selection Criteria |
|---|---|
| Identify SysAid Server web shell creation |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
In solution Legacy IOC based Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Dev-0322 File Drop Activity November 2021 |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Dropping Payload via certutil | |
| Files Copied to USB Drives | |
| PrintNightmare CVE-2021-1675 usage Detection | ActionType == "FileCreated" |
| Rare Process as a Service | |
| Remote File Creation with PsExec | |
| Robbinhood Driver | |
| Suspicious DLLs in spool Folder | ActionType in "FileCreated,FileRenamed" |
| Suspicious Files in spool Folder | |
| Windows Print Spooler Service Suspicious File Creation | ActionType == "FileCreated" |
In solution Web Shells Threat Protection:
| Hunting Query | Selection Criteria |
|---|---|
| Exchange IIS Worker Dropping Webshells | |
| Possible webshell drop | ActionType in "FileCreated,FileModified,FileRenamed" |
| UMWorkerProcess Creating Webshell |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| MDE_BrowserExtensionInstalled | |
| MDE_FindLNKFilesOnEndpoints | |
| MDE_FindMountedISOandDriveLetters | |
| MDE_ShowUSBMountedandfilescopied |
GitHub Only:
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DORA Compliance:
| Workbook | Selection Criteria |
|---|---|
| DORACompliance |
In solution HIPAA Compliance:
| Workbook | Selection Criteria |
|---|---|
| HIPAACompliance |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForEndPoint |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| ExchangeCompromiseHunting | |
| MicrosoftDefenderForEndPoint | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SolarWindsPostCompromiseHunting | ActionType == "RemoteInteractiveLogon"ActionType == "LdapSearch" |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimFileEventMicrosoft365D | FileEvent | Microsoft 365 Defender for EndPoint |
References by type: 0 connectors, 16 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "FileCreated" |
- | 9 | - | - | 9 |
ActionType in "FileCreated,FileModified" |
- | 2 | - | - | 2 |
ActionType in "FileCreated,FileRenamed" |
- | 2 | - | - | 2 |
ActionType == "FileRenamed" |
- | 1 | - | - | 1 |
ActionType in "FileCreated,FileModified,FileRenamed" |
- | 1 | - | - | 1 |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
- | 1 | - | - | 1 |
| Total | 0 | 16 | 0 | 0 | 16 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
FileCreated |
- | 14 | - | - | 14 |
FileRenamed |
- | 4 | - | - | 4 |
FileModified |
- | 3 | - | - | 3 |
Add member to role |
- | 1 | - | - | 1 |
Add user |
- | 1 | - | - | 1 |
InteractiveLogon |
- | 1 | - | - | 1 |
RemoteInteractiveLogon |
- | 1 | - | - | 1 |
Reset user password |
- | 1 | - | - | 1 |
ResourceAccess |
- | 1 | - | - | 1 |
Sign-in |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊