Query Details

Malware File Detected In Office 365

Malware File Detected

Query

OfficeActivity
| where Operation == "FileMalwareDetected"
| project-reorder TimeGenerated, OfficeWorkload, SourceFileName, OfficeObjectId, UserId

About this query

Malware File Detected In Office 365

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1204.002User Execution: Malicious Filehttps://attack.mitre.org/techniques/T1204/002/

Description

This detects a malware file in your Office 365 environment. This activity does not always raise an alert.

Risk

Active malware is detected and can spread through the organisation.

References

Sentinel

Explanation

This query is designed to identify instances where a malware file has been detected within an Office 365 environment. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the OfficeActivity table, which logs various activities within Office 365.

  2. Filter: The query specifically looks for activities where the operation is "FileMalwareDetected". This means it is filtering for events where a file has been identified as containing malware.

  3. Output: The query then selects and orders specific columns to display in the results:

    • TimeGenerated: The time when the malware detection event was logged.
    • OfficeWorkload: The specific Office 365 service (like SharePoint, OneDrive, etc.) where the malware was detected.
    • SourceFileName: The name of the file that was detected as malware.
    • OfficeObjectId: A unique identifier for the object (file) within Office 365. - UserId: The ID of the user associated with the malware detection event.

In summary, this query helps security teams monitor and respond to malware threats by providing detailed information about detected malicious files in Office 365, including when and where they were detected and which user was involved.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

OfficeActivity

Keywords

OfficeActivityTimeGeneratedOfficeWorkloadSourceFileNameOfficeObjectIdUserId

Operators

where==project-reorder

MITRE Techniques

Actions

GitHub