this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe)
Unfortunately it does not find office macro files. Aren't they "productivity_documents", too?
I can only find office macros with live query currently but I need to let it run against data lake.
Any Idea how to modify the query to get docm, xlsm and so on from datalake with the same level of information?
SELECT meta_hostname AS ep_name, username, name AS by_process_name, event_type, filename, path AS full_file_path, file_extension, date_format(from_unixtime(time, 'Europe/Berlin'), '%Y-%m-%d %H:%i:%S') as time FROM xdr_data WHERE query_name = 'access_productivity_documents' AND from_unixtime(time) BETWEEN from_unixtime($$__start_date$$) AND from_unixtime($$_end_date$$) AND meta_hostname LIKE '$$hostname$$' AND NOT name = '$$process_is_not$$' AND (file_extension = '$$file_extension1$$' OR file_extension = '$$file_extension2$$') ORDER by time DESC