Live Response File Collection
Query
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "LiveResponseGetFile"
| extend FileName = tostring(parse_json(RawEventData).FileName), FileSHA256 = tostring(parse_json(RawEventData).FileSHA256)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256
| invoke FileProfile(SHA256, 1000)
| project-reorder Timestamp, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId, GlobalPrevalence, SignatureStateAbout this query
Live Response File Collection
Query Information
Description
This query lists all the Getfile activities that have been executed. This includes listing the SHA256 hash of the collected file (when available).
References
- https://kqlquery.com/posts/leveraging-live-response/
- https://learn.microsoft.com/en-us/defender-endpoint/live-response-command-examples
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function
- https://kqlquery.com/posts/audit-defender-xdr/
Defender XDR
Sentinel
CloudAppEvents
| where TimeGenerated > ago(30d)
| where ActionType == "LiveResponseGetFile"
| extend FileName = tostring(parse_json(RawEventData).FileName), FileSHA256 = tostring(parse_json(RawEventData).FileSHA256)
| project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256
| project-reorder TimeGenerated, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId
Explanation
This query is designed to track and list all "Getfile" activities executed within the last 30 days using Microsoft's Defender XDR and Sentinel platforms. It focuses on identifying files collected through live response actions, providing details such as the file name, SHA256 hash, and the account that initiated the action. Here's a simplified breakdown:
-
Data Source: The query pulls data from
CloudAppEvents, which logs various cloud application activities. -
Time Frame: It filters events to include only those that occurred in the past 30 days.
-
Action Type: It specifically looks for events where the action type is "LiveResponseGetFile", indicating a file was collected during a live response.
-
Data Extraction:
- It extracts the file name and SHA256 hash from the raw event data.
- It renames some fields for clarity, such as the account name and ID of the person who initiated the file collection.
-
Additional Analysis (Defender XDR only):
- It uses the
FileProfilefunction to gather additional information about the file, such as its global prevalence and signature state.
- It uses the
-
Output: The query organizes and displays the results with columns for the timestamp, file name, SHA256 hash, the account name and ID of the initiator, and additional file profile information (for Defender XDR).
In summary, this query helps security analysts monitor and audit file collection activities, providing insights into who collected which files and additional details about those files.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators