Query Details
DCA Form Phishing Status Changed
Query
//Alert when the phishing status of a Microsoft Form is changed, this could be a sign one of your accounts has been compromised and being used to host malicious Forms //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query CloudAppEvents | where TimeGenerated > ago (7d) | extend Operation = tostring(RawEventData.Operation) | where Operation == "UpdatePhishingStatus" | extend UserId = tostring(RawEventData.UserId) | extend Workload = tostring(RawEventData.Workload) | extend FormStatus = tostring(parse_json(tostring(RawEventData.ActivityParameters)).FormPhishingStatus) | extend FormId = tostring(RawEventData.FormId) | extend FormName = tostring(RawEventData.FormName) | where FormStatus == "Auto Blocked" | project TimeGenerated, Operation, UserId, FormStatus, FormName, FormId //Advanced Hunting query //Data connector required for this query - Advanced Hunting license CloudAppEvents | where Timestamp > ago (7d) | extend Operation = tostring(RawEventData.Operation) | where Operation == "UpdatePhishingStatus" | extend UserId = tostring(RawEventData.UserId) | extend Workload = tostring(RawEventData.Workload) | extend FormStatus = tostring(parse_json(tostring(RawEventData.ActivityParameters)).FormPhishingStatus) | extend FormId = tostring(RawEventData.FormId) | extend FormName = tostring(RawEventData.FormName) | where FormStatus == "Auto Blocked" | project Timestamp, Operation, UserId, FormStatus, FormName, FormId
Explanation
This query is used to detect when the phishing status of a Microsoft Form is changed. It is important because it could indicate that one of your accounts has been compromised and is being used to host malicious Forms. The query looks for events where the phishing status is updated to "Auto Blocked" within the last 7 days. It retrieves information such as the timestamp, operation, user ID, form status, form name, and form ID for further investigation. Two different data connectors are mentioned depending on the platform being used: M365 Defender - CloudAppEvents for Microsoft Sentinel, and Advanced Hunting license for Advanced Hunting.
Details
Matt Zorich
Released: June 17, 2022
Tables
CloudAppEvents
Keywords
CloudAppEvents,TimeGenerated,Operation,UserId,FormStatus,FormName,FormId
Operators
CloudAppEventswhereTimeGeneratedagoextendtostringRawEventData.Operation=="UpdatePhishingStatus"extendUserIdWorkloadparse_jsonRawEventData.ActivityParameters.FormPhishingStatusFormIdFormName=="Auto Blocked"project