My Games
Account 🔐
Sign Up
Login
Global Leaderboard
Case Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
filecreationevents
Filecreationevents
Definition
`FileCreationEvents` is a KC7 data table that shows when a new file is created on a computer inside the organization. Computers keep track of file activity so the operating system can function properly and so security tools can detect unusual or unauthorized changes. When a file is created, the system records who created it, where it was saved, and which program created it. Analysts examine this data to spot early signs of malware or other harmful activity. For example, ransomware creates many encrypted files very quickly. Attackers may also place tools or scripts on a system during the early stages of an intrusion. This table helps detect those behaviors. Similar logging exists in real organizations through tools like Windows Event Logs, Endpoint Detection and Response systems, and file monitoring services. | Field | What it means in simple terms | | ---------------- | ------------------------------------------------------------------- | | **timestamp** | When the file was created | | **hostname** | The specific computer where the file was created | | **username** | The user account that created or triggered the creation of the file | | **sha256** | A unique fingerprint of the file for identifying exact matches | | **path** | The full folder location where the file was stored | | **filename** | The name of the file that was created | | **process_name** | The program or tool responsible for creating the file | **How analysts use this table** * Detect malware that drops or creates files on a system * Track where suspicious files appear and who created them * See which programs are creating files they normally should not create * Identify files created on sensitive servers or directories **Example query** ``` FileCreationEvents | where process_name contains "powershell" | project timestamp, hostname, username, filename ``` This highlights files created using PowerShell, which can point to malicious scripts or attacker activity.
Explore More Terms
Sha256
Encoding
Url
Ransomware
Dropper
.png)
