![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 65%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
1,566 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@APTOS Thank you for reaching out to us, As I understand you are looking for KQL query to find location of files with a specific extension *.ref using advance hunting.
As far i am aware, Microsoft Defender for Endpoint (MDE) collects events based on curated decisions, typically comprising signals deemed valuable by threat researchers.
You can use the below KQL query -
let MyDevices =
(
DeviceInfo | where OnboardingStatus == "Onboarded" and OSPlatform in ("Windows10","Windows10") | distinct DeviceId
);
DeviceFileEvents
| join MyDevices on DeviceId
| where Timestamp >= ago(7d)
| where FileName endswith ".csv"
| project Timestamp, DeviceName, FileName, FolderPath
Not sure, if MDE collect insights for "ref" extension, but you can give it a try using the above query.
We can't define OU path/as we don't have that info within MDE, you can set a device tag based on GPO. for example: GPO applied to "OU-A" ------> tag Devices-A
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
