I ran some updates on an old Windows 10 machine that was sorely out of date. The Elastic Endpoint records all file change events that happen on the system. Using these logs and Lens, I was able to find which processes were responsible for all the file activity within the suspected time window. I will provide a screen shot below of the results. As suspected the Windows Update service is responsible for creating quite a bit of file write activity on my host machine. To create a query I went to Visualize -> Create. In the Search I entered host.hostname : "TARGET_HOSTNAME". Then click Add Filter and add event.type: is one of change, deletion, creation.
It might be worth creating a Trusted Application entry to help avoid processing some of these windows update file writes. Trusted Applications are located at Security > Administration > Trusted applications. We suggest adding the full path to TiWorker.exe as well as the signature (Microsoft Windows).
We do not recommend putting svchost.exe on the Trusted Application list as it can open you up to security vulnerabilities. Another important note is that this was all done with the 7.11 Agent and Endpoint. We are continually adding features to allow users to tweak their individual installations.
