Query Details
Detect Personal One Drive Sync On Corporate Endpoints
Query
// https://www.microsoft.com/en-us/microsoft-365/roadmap?id=490064 DeviceRegistryEvents | where TimeGenerated > ago(1h) | where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet" | where RegistryKey has "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\OneDrive\\Personal"
Explanation
This KQL (Kusto Query Language) query is designed to search through device registry events and identify specific changes made within the last hour. Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
DeviceRegistryEventstable, which contains records of changes made to the Windows registry on devices. -
Time Filter: It filters the events to only include those that occurred in the last hour (
TimeGenerated > ago(1h)). -
Action Type Filter: It further narrows down the results to include only events where a registry key was created (
RegistryKeyCreated) or a registry value was set (RegistryValueSet). -
Registry Key Filter: Finally, it focuses on changes made specifically to the registry path
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Personal.
In summary, this query retrieves recent events (within the last hour) where new registry keys were created or existing values were set in the OneDrive Personal settings under the current user's registry.
Details
Steven Lim
Released: May 8, 2025
Tables
Keywords
Operators