Defender-DeviceFileEvents
5 events across 5 channels
| Event ID | Title | Channel |
|---|---|---|
| 9002000 | File activity (any) | DeviceFileEvents |
| 9002001 | File created | FileCreated |
| 9002002 | File modified | FileModified |
| 9002003 | File deleted | FileDeleted |
| 9002004 | File renamed | FileRenamed |
Event ID 9002000 — File activity (any)
#Description
File activity (any)
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
ActionType | — |
FileName | — |
FolderPath | — |
SHA256 | — |
FileSize | — |
InitiatingProcessFileName | — |
InitiatingProcessCommandLine | — |
InitiatingProcessAccountName | — |
Detection Patterns #
Sunburst And Supernova Backdoor
Execution: User Execution
Defender-DeviceFileEvents Event ID 9002000: File activity→Security-Auditing Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Lateral Movement: Lateral Tool Transfer
Defender-DeviceFileEvents Event ID 9002000: File activityANDSecurity-Auditing Event ID 4663: An attempt was made to access an object.ANDSysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
Event ID 9002001 — File created
#Description
File created
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
FileName | — |
FolderPath | — |
SHA256 | — |
InitiatingProcessFileName | — |
Detection Patterns #
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
Event ID 9002002 — File modified
Description
File modified — Sysmon-2 fires on FileCreateTime change specifically; Defender's FileModified is broader. Approximate bridge.
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
FileName | — |
FolderPath | — |
SHA256 | — |
InitiatingProcessFileName | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
Event ID 9002003 — File deleted
Description
File deleted
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
FileName | — |
FolderPath | — |
InitiatingProcessFileName | — |
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table
Event ID 9002004 — File renamed
#Description
File renamed — No clean Windows-native equivalent.
Fields #
| Name | Description |
|---|---|
DeviceId | — |
Timestamp | — |
FileName | — |
FolderPath | — |
PreviousFileName | — |
InitiatingProcessFileName | — |
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- ASR Bypassing Writing Executable Content source medium: The query checks for any file which has been created/written by an Office application and shortly after renamed to one of the deny-listed "executable extensions" which are text files. (e.g. ps1, .js, .vbs).
References #
- Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefileevents-table