Skip to main content

Workflow Template: File Prevalence Check on MS Defender for Endpoint

Checks whether a file (by SHA1 hash) is widely distributed across the org before allowing automated remediation.

Updated over 2 weeks ago

The "File Prevalence Check on MS Defender for Endpoint" workflow template is designed for threat hunting by assessing the distribution of a file within an organization using its SHA1 hash. It fetches file statistics and evaluates the organization's prevalence against predefined thresholds to determine the risk level. The workflow outputs a JSON risk assessment, guiding whether to halt, review, or proceed with automated remediation based on the file's prevalence.

Take Me to the Template

Use Cases

Threat Hunting

Workflow Breakdown

  1. Fetch org + global file statistics by file's SHA1 hash.

  2. Evaluate orgPrevalence against HIGH / MEDIUM / LOW thresholds.

  3. Output risk assessment JSON

Vendors

Utils, Microsoft Defender for Endpoint

Workflow Output

JSON risk assessment with a verdict: HIGH (> High Prevalence Threshold): hard stop, do not remediate. MEDIUM (Low–High Prevalence Threshold): soft stop, analyst review required. LOW (< Low Prevalence Threshold): cleared for automated remediation.

Related Articles
Workflow Template: Fetch File Information by Hash from Microsoft Defender
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Did this answer your question?