Forum Discussion
How does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from ...
Amazing, thank you! I don't have Sentinel, but do you know what table I need to query and what I need to look for using KQL to monitor for this?
Hey akl472,
You're welcome! If you don't have Sentinel, you can still use Defender for Endpoint and KQL to monitor for changes. For file version changes, the table you're most likely to query is AuditLog or SecurityAlert depending on the activity you're monitoring. Specifically, you would want to look for changes to file versioning settings, which may be logged under activity related to OneDrive or SharePoint.
In KQL, you can create a query like this:
AuditLog
| where ActivityDisplayName == "Change file versioning settings"
| where ResourceType == "OneDrive" or ResourceType == "SharePoint"
| project TimeGenerated, UserPrincipalName, Resource, ActivityDisplayNameYou can tailor the query to look for specific file or folder actions related to versioning changes or unusual file behavior. This will give you an idea of changes made to the version settings.
Regards!
Amazing, thank you!
However, in Defender I don’t have the AuditLog or SecurityAlert tables to query. Do you know which tables would have this ActivityDisplayName, or alternative ActionType/name?
