This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 65%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello, can anyone help me with querying all computers (Windows 10 and 11) in our organization to find the location of files with a specific extension *.ref using KQL in Advanced Hunting? Is it possible to base this query on the Organizational Unit (OU) of the computers in Active Directory? Regards.
@APTOS
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@APTOS Thank you for reaching out to us, As I understand you are looking for KQL query to find location of files with a specific extension *.ref using advance hunting.
As far i am aware, Microsoft Defender for Endpoint (MDE) collects events based on curated decisions, typically comprising signals deemed valuable by threat researchers.
You can use the below KQL query -
let MyDevices =
(
DeviceInfo | where OnboardingStatus == "Onboarded" and OSPlatform in ("Windows10","Windows10") | distinct DeviceId
);
DeviceFileEvents
| join MyDevices on DeviceId
| where Timestamp >= ago(7d)
| where FileName endswith ".csv"
| project Timestamp, DeviceName, FileName, FolderPath
Not sure, if MDE collect insights for "ref" extension, but you can give it a try using the above query.
We can't define OU path/as we don't have that info within MDE, you can set a device tag based on GPO. for example: GPO applied to "OU-A" ------> tag Devices-A
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Hello ,
Thanks.it's very helpful
i have added filesize to project but i get value in KB.
it's possible to have value in MB for example or Gb ?
Regards
@Givary-MSFT
Thanks a lot. It's helpful. I need to know if the data collected from MDE is in real-time. If not, how many hours/days does the collection take from the devices?
Regards
@APTOS As far I know data collected from MDE is in real-time - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/real-time-detections?view=o365-worldwide Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Hello @Givary-MSFT the query is functional. Is it possible for you to assist me in obtaining more information? For each device, I need to identify the most recent logon user to determine the computer owner. Additionally, I would like to sort the system tags. The system tags of a device are stored in the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging
it's role give you an information about your computer location
Thanks in advance
You can run a file extension query in the main menu search at the top. Just seach .ref without the wildcard. You can see logged on users on each device overview page.
Registry collection is less dependable in the device logs. The following query only returns the user SID.
let logons = DeviceLogonEvents
| where ActionType == "LogonSuccess"
| summarize LatestLogon=max(Timestamp) by DeviceName, AccountName;
logons
| join DeviceFileEvents on DeviceName
| where FileName endswith ".exe"
I recommend using ChatGPT or Microsoft Copilot to further refine.
@APTOS Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.