File Write Events with Human-Readable File Sizes
The query lists file write events and converts the file size into readable units (KB, MB, GB, or TB), displaying timestamps, host details, filenames, and both raw and formatted file sizes.
EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#event_simpleName=/FileWritten$/
| case {
Size>=1099511627776 | CommonSize:=unit:convert(Size, to=T) | format("%,.2f TB",field=["CommonSize"], as="CommonSize");
Size>=1073741824 | CommonSize:=unit:convert(Size, to=G) | format("%,.2f GB",field=["CommonSize"], as="CommonSize");
Size>=1048576| CommonSize:=unit:convert(Size, to=M) | format("%,.2f MB",field=["CommonSize"], as="CommonSize");
Size>1024 | CommonSize:=unit:convert(Size, to=k) | format("%,.3f KB",field=["CommonSize"], as="CommonSize");
* | CommonSize:=format("%,.0f Bytes",field=["Size"]);
}
| table([@timestamp, aid, ComputerName, FileName, Size, CommonSize])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.