KQL Search

This query is designed to identify and review connections to OneDrive or SharePoint files that are made through anonymous proxies, which could indicate suspicious activity. Here's a simplified breakdown of what the query does:

1. Filter for Anonymous Proxies: It starts by filtering the CloudAppEvents dataset to only include events where the connection was made through an anonymous proxy (IsAnonymousProxy == 1).

2. Exclude Exchange Application: It further filters out any events related to the Exchange application (Application !has "Exchange").

3. Exclude Events with Email Addresses: It excludes events that contain email addresses in the raw event data (RawEventData !has "@").

4. Extract Relevant Information: It extracts several pieces of information from the raw event data, such as the user ID, the relative URL of the source, and other details.

5. Select and Display Specific Fields: It selects and displays specific fields like the timestamp, object name, object type, source URL, country code, IP address, user ID, action type, application, device type, OS platform, ISP, admin operation status, account type, impersonation status, user agent tags, OAuth app ID, and the raw event data.

6. Sort by Object Name: Finally, it sorts the results by the object name.

In summary, this query helps to identify and analyze potentially suspicious access to OneDrive or SharePoint files that are shared without restrictions and accessed via anonymous proxies, excluding certain types of events to focus on the most relevant data.