Azure-Sentinel/Exploration Queries/InputEntity_File/AlertsWithFile.txt

// Name: Alerts related to File
// Description: Any Alerts that fired related to a given File during the range of +6h and -3d
//
// Id: 82d58507-c4e6-4fae-9aa4-db58be3ef9a6
//
// Entity: #File
// Input: Filename
// Output: Host, Account
//
// QueryPeriod: +6h and -3d default, change as needed
//
// Data Source: SecurityAlert
//
// Tactics: #Persistence, #Discovery, #Lateral Movement, #Collection
//
let GetAllAlertsWithFile = (suspiciousEventTime:datetime, v_File:string){
let v_StartTime = suspiciousEventTime-1d;
let v_EndTime = suspiciousEventTime+1d;
SecurityAlert
| where TimeGenerated between (v_StartTime .. v_EndTime)
| extend Computer = toupper(parse_json(ExtendedProperties).["Compromised Host"])
| where ExtendedProperties has v_File
};
// change datetime value and <filename> value below
GetAllAlertsWithFile(datetime('2019-01-18T10:36:07Z'), "<filename>")