KQL Search

Query Details

HomeAI ToolsDevice Query

MDO File Malicious Content Info

Query

# Defender for Office - FileMaliciousContentInfo

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Work in Progress](https://img.shields.io/badge/status-work--in--progress-yellow.svg)

## Query Information

### Description

The FileMaliciousContentInfo table in the advanced hunting schema contains information about files that were processed by Microsoft Defender for Office 365 in SharePoint Online, OneDrive, and Microsoft Teams.

#### References

- [FileMaliciousContentInfo (Preview)](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-filemaliciouscontentinfo-table)

### Author

- **Alex Verboon**

## Defender XDR

```kql
FileMaliciousContentInfo
| where isnotempty( ThreatTypes)
| project TimeGenerated, Workload,FileName, FolderPath, FileOwnerUpn, ThreatNames, ThreatTypes, DetectionMethods, SHA256, ReportId
| sort by ThreatNames
```

Explanation

This KQL query is designed to extract and organize information about malicious files detected by Microsoft Defender for Office 365 within SharePoint Online, OneDrive, and Microsoft Teams. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the FileMaliciousContentInfo table, which contains details about files flagged for malicious content.

  2. Filter: The query filters the data to include only those records where the ThreatTypes field is not empty. This ensures that only files identified with some type of threat are considered.

  3. Select Columns: It selects specific columns to display:

    • TimeGenerated: The timestamp when the event was recorded.
    • Workload: The service (e.g., SharePoint, OneDrive, Teams) where the file was found.
    • FileName: The name of the file.
    • FolderPath: The location path of the file.
    • FileOwnerUpn: The user principal name of the file owner.
    • ThreatNames: The names of the threats detected.
    • ThreatTypes: The types of threats identified.
    • DetectionMethods: How the threat was detected.
    • SHA256: The SHA256 hash of the file, which uniquely identifies it.
    • ReportId: An identifier for the report.

  4. Sort: The results are sorted by ThreatNames, organizing the output based on the names of the threats detected.

This query helps security analysts quickly identify and review malicious files by providing essential details about each threat in a structured format.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 16, 2026

Tables

FileMaliciousContentInfo

Keywords

FileMaliciousContentInfoThreatTypesTimeGeneratedWorkloadFileNameFolderPathFileOwnerUpnThreatNamesDetectionMethodsSHA256ReportId

Operators

|whereisnotemptyprojectsort by

Actions