Query Details
Malfunction Hunting Query Not Working In Graph API
Query
// This query in https://graph.microsoft.com/v1.0/security/runHuntingQuery does NOT work when Application == "Microsoft OneDrive for Business" or "Microsoft SharePoint Online", with other workloads it works
CloudAppEvents
| where Timestamp > ago(30d)
| where Application in ("Microsoft OneDrive for Business", "Microsoft SharePoint Online")
| where ActionType has "DLPRuleMatch"
| limit 1
Explanation
This query is designed to search through cloud application events to find instances where a Data Loss Prevention (DLP) rule was triggered. It specifically looks at events from the past 30 days related to two applications: "Microsoft OneDrive for Business" and "Microsoft SharePoint Online." However, the query does not work for these two applications, even though it works for other applications. The query is set to return only the first matching result it finds.
Details
Jose Sebastián Canós
Released: October 15, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsTimestampApplicationActionTypeDLPRuleMatch
Operators
ago()in()has()limit