mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 21:27:09 +00:00
marc
8 lines
426 B
Plaintext
8 lines
426 B
Plaintext
DeviceFileEvents
|
|
| where FileName endswith ".docx" or FileName endswith ".pdf" or FileName endswith ".xlsx"
|
|
| where FolderPath contains "Confidential" or FolderPath contains "Sensitive"
|
|
or FolderPath contains "Restricted"
|
|
| where ActionType in ("FileAccessed","FileRead","FileModified","FileCopied","FileMoved")
|
|
| extend User = tostring(InitiatingProcessAccountName)
|
|
| summarize AccessCount = count() by FileName, User
|