Safe Documents
MD365 Safe Docs
Query
DeviceEvents
| where ActionType == "SafeDocFileScan"
| extend xRawEventData = parse_json(AdditionalFields)
| extend VerificationResult = tostring(parse_json(xRawEventData).VerificationResult)
| extend ContainerReason = tostring(parse_json(xRawEventData).ContainerReason)
| project Timestamp, DeviceName, ActionType,VerificationResult,FileName, FolderPath, SHA1, ReportId, ContainerReasonAbout this query
Explanation
The query retrieves Safe Docs Events from Microsoft 365 Defender. It filters the events based on the ActionType "SafeDocFileScan" and extracts specific fields such as Timestamp, DeviceName, ActionType, VerificationResult, FileName, FolderPath, SHA1, ReportId, and ContainerReason.
The second query adds an additional filter to only include events where the VerificationResult is "malware".
The third query provides more filtering options that can be uncommented to further narrow down the results based on ContainerReason, VerificationResult, and DeviceName.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeSafeDocFileScanAdditionalFieldsVerificationResultContainerReasonTimestampDeviceNameFileNameFolderPathSHA1ReportIdmalware
Operators
whereextendparse_jsontostringprojectdistinct