Email Audit Safe Attachments Global Setting
Query
name : Safe Attachments
description :
- Audit the config - [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams]
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide
query : |
let StartTime = datetime(2023-01-22);
let EndTime = datetime(2023-01-24);
CloudAppEvents
| where Timestamp between ((StartTime) .. (EndTime))
| where Application == "Microsoft Exchange Online"
| where ActionType contains "atp"
output :
Parameters
[
{"Name":"Identity","Value":"Default"},
{"Name":"EnableATPForSPOTeamsODB","Value":"True"},
{"Name":"EnableSafeDocs","Value":"True"},
{"Name":"AllowSafeDocsOpen","Value":"False"}
]Explanation
The query is retrieving cloud app events from Microsoft Exchange Online between January 22, 2023, and January 24, 2023. It filters the events to only include those related to Advanced Threat Protection (ATP). The output of the query includes parameters related to Safe Attachments, such as enabling ATP for SharePoint, OneDrive, and Teams, enabling SafeDocs, and allowing SafeDocs to be opened.
Details

Kijo Girardi
Released: February 2, 2023
Tables
CloudAppEvents
Keywords
Safe AttachmentsSharePointOneDriveMicrosoft TeamsAuditconfigStartTimeEndTimeCloudAppEventsTimestampApplicationActionTypeEnableATPForSPOTeamsODBEnableSafeDocsAllowSafeDocsOpen
Operators
toscalar()arg_max()count()mv-expand