KQL Search

Query Details

HomeAI ToolsDevice Query

Office Activity Calculate Timeto Detect Malware

Query

//Calculate the time Office 365 took to detect malware after the file was uploaded

//Data connector required for this query - Office 365

//First find the malware detection event
OfficeActivity
| where TimeGenerated > ago(60d)
| where Operation == "FileMalwareDetected"
| project
    DetectionTime=TimeGenerated,
    OfficeWorkload,
    ['File Name']=SourceFileName,
    ['File Location']=OfficeObjectId
//Then join back to the upload event on the same file location
| join kind=inner 
    (
    OfficeActivity
    | where TimeGenerated > ago (60d)
    | where Operation in ("FileUploaded", "FileSyncUploadedFull")
    | project
        UploadTime=TimeGenerated,
        OfficeWorkload,
        ['File Name']=SourceFileName,
        ['File Location']=OfficeObjectId,
        ['Relative File URL']=SourceRelativeUrl
    | summarize min(UploadTime) by ['File Location'], UploadTime
    )
    on ['File Location']
//Calculate the time difference between upload and malware detection
| project
    ['File Name'],
    UploadTime,
    DetectionTime,
    ['Time Difference in Minutes']=datetime_diff("minute", DetectionTime, UploadTime),
    ['File Location']

Explanation

This query calculates the time it took for Office 365 to detect malware after a file was uploaded. It uses the OfficeActivity data connector to find the malware detection event and then joins it back to the upload event on the same file location. The query then calculates the time difference between the upload and malware detection events. The result includes the file name, upload time, detection time, and the time difference in minutes.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

OfficeActivity

Keywords

OfficeActivity,TimeGenerated,Operation,FileMalwareDetected,OfficeWorkload,SourceFileName,OfficeObjectId,FileUploaded,FileSyncUploadedFull,SourceRelativeUrl,RelativeFileURL,TimeDifferenceinMinutes

Operators

whereTimeGeneratedagoOperation==projectDetectionTimeOfficeWorkload['File Name']SourceFileName['File Location']OfficeObjectIdjoinkindinnerin("FileUploaded""FileSyncUploadedFull")UploadTime['Relative File URL']SourceRelativeUrlsummarizeminbydatetime_diff("minute"DetectionTimeUploadTime)

Actions