Under Review

List Office Macro documents touched on a client computer (from Data Lake)

Hi,

this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe)

Unfortunately it does not find office macro files. Aren't they "productivity_documents", too?

I can only find office macros with live query currently but I need to let it run against data lake.

Any Idea how to modify the query to get docm, xlsm and so on from datalake with the same level of information?

Variables:

SELECT  
    meta_hostname AS ep_name, 
    username, 
    name AS by_process_name, 
    event_type, 
    filename, 
    path AS full_file_path, 
    file_extension,
    date_format(from_unixtime(time, 'Europe/Berlin'), '%Y-%m-%d %H:%i:%S') as time
FROM   
	xdr_data
WHERE
	query_name = 'access_productivity_documents'
   AND from_unixtime(time) BETWEEN from_unixtime($$__start_date$$) AND from_unixtime($$_end_date$$)
	AND meta_hostname LIKE '$$hostname$$'
	AND NOT name = '$$process_is_not$$'
	AND (file_extension = '$$file_extension1$$' OR file_extension = '$$file_extension2$$')
ORDER by time DESC

Parents Comment Children
No Data