I am looking for documentation on how to build a Advanced Hunting query in Microsoft Defender for Endpoint where I can use the "File paths" in the KQL query.
The field is in the Software Inventory under devices and in the section Software Evidence See below screen dump:
You are looking for one of the pages under the Data Tables schema.
My first guess would have been DeviceTvmSoftwareInventory, however that does not seem to include the path.
There are other tables which contain path: DeviceFileEvents and DeviceImageLoadEvents could be the ones you are looking for, depending on the use case you are trying. The following queries could be a good start.
or
If you have the full path of every software you are looking for, you can also use FolderPath == the escaped(double
\\
in the path).