KQL Search

Query Details

File Containing Malware Detected

Query

# File that contains malware detected by Defender For Cloud Apps

### Defender For Endpoint

```
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder Timestamp, Application, VirusInfo, ObjectName, FileName, VirusVendor
```
### Sentinel
```
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder TimeGenerated, Application, VirusInfo, ObjectName, FileName, VirusVendor
```

Explanation

The query retrieves information about files that have been detected as malware by Defender for Cloud Apps. It includes details such as the file name, the URL of the site where the malware was detected, the vendor that identified the malware, and additional information about the virus. The query is executed in both Defender for Endpoint and Sentinel.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

CloudAppEvents

Keywords

Devices,Intune,User,DefenderForCloudApps,DefenderForEndpoint,Sentinel

Operators

whereextendparse_jsonproject-reorder

KQL Search

File Containing Malware Detected

Query

Explanation

Details

Actions