Malware File Detected In Office 365
Malware File Detected
Query
OfficeActivity
| where Operation == "FileMalwareDetected"
| project-reorder TimeGenerated, OfficeWorkload, SourceFileName, OfficeObjectId, UserIdAbout this query
Malware File Detected In Office 365
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ |
Description
This detects a malware file in your Office 365 environment. This activity does not always raise an alert.
Risk
Active malware is detected and can spread through the organisation.
References
Sentinel
Explanation
This query is designed to identify instances where a malware file has been detected within an Office 365 environment. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
OfficeActivitytable, which logs various activities within Office 365. -
Filter: The query specifically looks for activities where the operation is "FileMalwareDetected". This means it is filtering for events where a file has been identified as containing malware.
-
Output: The query then selects and orders specific columns to display in the results:
TimeGenerated: The time when the malware detection event was logged.OfficeWorkload: The specific Office 365 service (like SharePoint, OneDrive, etc.) where the malware was detected.SourceFileName: The name of the file that was detected as malware.OfficeObjectId: A unique identifier for the object (file) within Office 365. -UserId: The ID of the user associated with the malware detection event.
In summary, this query helps security teams monitor and respond to malware threats by providing detailed information about detected malicious files in Office 365, including when and where they were detected and which user was involved.
