deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added function page fileprofile

Browse Source
This commit is contained in:
Marty Hernandez Avedon
2020-09-17 17:09:00 -04:00
parent 7244f328af
commit 3a46478e46
2 changed files with 86 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
View File

@ -1,5 +1,5 @@
--- ---
title: AssignedIPAddresses() function in advanced hunting for Microsoft Threat Protection title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh

85
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md Normal file
View File

@ -0,0 +1,85 @@
---
title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection
description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/20/2020
---
# FileProfile()
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
Column | Data type | Description
-|-|-
SHA1 | string | SHA-1 of the file that the recorded action was applied to
SHA256 | string | SHA-256 of the file that the recorded action was applied to
MD5 | string | MD5 hash of the file that the recorded action was applied to
FileSize | int | Size of the file in bytes
GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally
GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally
GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally
Signer | string | Information about the signer of the file
Issuer | string | Information about the issuing certificate authority (CA)
SignerHash | string | Unique hash value identifying the signer
IsCertificateValid | boolean | Whether the certificate used to sign the file is valid
IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft
IsExecutable | boolean | Whether the file is a Portable Executable (PE) file
ThreatName | string | Detection name for any malware or other threats found
Publisher | string | Name of the organization that published the file
SoftwareName | string | Name of the software product
## Syntax
```kusto
invoke FileProfile(x,y)
```
## Arguments
- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified
- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified
## Examples
### Project only the SHA1 column and enrich it
```kusto
DeviceFileEvents
| where isnotempty(SHA1) and Timestamp > ago(1d)
| take 10
| project SHA1
| invoke FileProfile()
```
### Enrich the first 500 records and list low-prevalence files
```kusto
DeviceFileEvents
| where ActionType == "FileCreated" and Timestamp > ago(1d)
| project CreatedOn = Timestamp, FileName, FolderPath, SHA1
| invoke FileProfile("SHA1", 500)
| where GlobalPrevalence < 15
```
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)