Query Details

File that contains malware detected by Defender For Cloud Apps

File Containing Malware Detected

Query

CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder Timestamp, Application, VirusInfo, ObjectName, FileName, VirusVendor

About this query

File that contains malware detected by Defender For Cloud Apps

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1204.002User Execution: Malicious Filehttps://attack.mitre.org/techniques/T1204/002/

Description

This query lists the FileMalwareDetected based on the uploaded content to your cloud applications (such as OneDrive, SharePoint). This activity does not always raise an alert.

Risk

A user uploaded a malicious executable into your cloud storage, others might execute this as they trust the internal cloud storage.

References

Defender XDR

Sentinel

CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder TimeGenerated, Application, VirusInfo, ObjectName, FileName, VirusVendor

Explanation

This query is designed to identify files containing malware that have been detected by Defender for Cloud Apps in your cloud storage services, such as OneDrive or SharePoint. The query specifically looks for events where a file has been flagged as containing malware, indicated by the action type "FileMalwareDetected."

Here's a simple breakdown of what the query does:

  1. Data Source: It searches through the CloudAppEvents data, which logs activities related to cloud applications.

  2. Filter: It filters the events to only include those where a file has been detected with malware (ActionType == "FileMalwareDetected").

  3. Extract Information: It extracts specific details from the raw event data, including:

    • FileName: The name of the file that was detected with malware.
    • SiteUrl: The URL of the site where the file is stored.
    • VirusVendor: The vendor that identified the malware.
    • VirusInfo: Information about the detected malware.
  4. Output: It organizes the output to display the timestamp, application, virus information, object name, file name, and virus vendor in a specific order for easier analysis.

The query helps in identifying potentially harmful files uploaded to your cloud storage, which could pose a risk if other users trust and execute these files.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

CloudApplicationsMalwareFileUser

Operators

whereextendparse_jsonproject-reorder

MITRE Techniques

Actions

GitHub