This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 0%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
Hello Everyone,
I was wondering if someone can explain me a dieffrence betwen Action types in Microsoft Defender for Endpoint when hunting events via Advanced Hunting.
We wanted to have a deeper visibility on how many users have downloaded attachment from Outlook that contains malicious test document since we preformed phishing test in our company.
When i try to look for the events in advanced hunting query i get "FileCreated" and "FileModified" action type but it typically refers to temp data folder of Outlook, not Downloads folder. How can i be certain that users maybe opened files via web browser/ as temp file on machine, these file events are unclear to me, can someone please explain little better.
Best Regards.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Vasilije Djurovic, Thanks for posting in Q&A. From your description, it seems the question is related to Microsoft Defender for endpoint which we are not familiar. You can contact the support in the following link to get help:
Thanks for your understanding.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.