Query Details

Safe Documents

MD365 Safe Docs

Query

DeviceEvents
| where ActionType == "SafeDocFileScan"
| extend xRawEventData = parse_json(AdditionalFields)
| extend VerificationResult =  tostring(parse_json(xRawEventData).VerificationResult)
| extend ContainerReason = tostring(parse_json(xRawEventData).ContainerReason)
| project Timestamp, DeviceName, ActionType,VerificationResult,FileName, FolderPath, SHA1, ReportId, ContainerReason

About this query

Explanation

The query retrieves Safe Docs Events from Microsoft 365 Defender. It filters the events based on the ActionType "SafeDocFileScan" and extracts specific fields such as Timestamp, DeviceName, ActionType, VerificationResult, FileName, FolderPath, SHA1, ReportId, and ContainerReason.

The second query adds an additional filter to only include events where the VerificationResult is "malware".

The third query provides more filtering options that can be uncommented to further narrow down the results based on ContainerReason, VerificationResult, and DeviceName.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeSafeDocFileScanAdditionalFieldsVerificationResultContainerReasonTimestampDeviceNameFileNameFolderPathSHA1ReportIdmalware

Operators

whereextendparse_jsontostringprojectdistinct

Actions

GitHub