Query Details
MD365 Safe Docs
Query
# Safe Documents ## Query Information ### Description Use the below queries to retreive Safe Docs Events from Microsoft 365 Defender #### References ### Microsoft 365 Defender All SafeDocs Events ```kql DeviceEvents | where ActionType == "SafeDocFileScan" | extend xRawEventData = parse_json(AdditionalFields) | extend VerificationResult = tostring(parse_json(xRawEventData).VerificationResult) | extend ContainerReason = tostring(parse_json(xRawEventData).ContainerReason) | project Timestamp, DeviceName, ActionType,VerificationResult,FileName, FolderPath, SHA1, ReportId, ContainerReason ``` MalWare Detections ```kql DeviceEvents | where ActionType == "SafeDocFileScan" | extend xRawEventData = parse_json(AdditionalFields) | extend VerificationResult = tostring(parse_json(xRawEventData).VerificationResult) | extend ContainerReason = tostring(parse_json(xRawEventData).ContainerReason) | project Timestamp, DeviceName, ActionType,VerificationResult,FileName, FolderPath, SHA1, ReportId, ContainerReason | where VerificationResult == 'malware' ``` More filtering if you like ```kql DeviceEvents | where ActionType == "SafeDocFileScan" | extend xRawEventData = parse_json(AdditionalFields) | extend VerificationResult = tostring(parse_json(xRawEventData).VerificationResult) | extend ContainerReason = tostring(parse_json(xRawEventData).ContainerReason) // | distinct ContainerReason // | where ContainerReason == "IsFileBlock" // | where ContainerReason == "IsEmailAttachment" // | where ContainerReason == "IsInternetMarker" // | where ContainerReason == "IsGateKeeperFail" // | distinct VerificationResult // | where VerificationResult == "clean" // | where VerificationResult == "unknown" // | where VerificationResult == "failed" // | where VerificationResult == "no_result" // | distinct DeviceName ```
Explanation
The query retrieves Safe Docs Events from Microsoft 365 Defender. It filters the events based on the ActionType "SafeDocFileScan" and extracts specific fields such as Timestamp, DeviceName, ActionType, VerificationResult, FileName, FolderPath, SHA1, ReportId, and ContainerReason.
The second query adds an additional filter to only include events where the VerificationResult is "malware".
The third query provides more filtering options that can be uncommented to further narrow down the results based on ContainerReason, VerificationResult, and DeviceName.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,ActionType,SafeDocFileScan,AdditionalFields,VerificationResult,ContainerReason,Timestamp,DeviceName,FileName,FolderPath,SHA1,ReportId,malware
Operators
whereextendparse_jsontostringprojectdistinct