Query Details
Office Activity Find Userswho Downloaded Malware
Query
//When Office 365 detects malware in OneDrive or SharePoint find any users that downloaded the same file
//Data connector required for this query - Office 365
let malware=
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation == "FileMalwareDetected"
| distinct OfficeObjectId;
OfficeActivity
| where TimeGenerated > ago (1d)
| where Operation in ("FileSyncDownloadedFull", "FileDownloaded")
| where OfficeObjectId in (malware)
| summarize ['Users who Downloaded']=make_set(UserId) by ['File Name']=OfficeObjectIdExplanation
This query is looking for users who downloaded a file that Office 365 detected as malware in OneDrive or SharePoint. It uses the Office 365 data connector and searches for activity in the past day. It first identifies the files that were flagged as malware, and then finds any users who downloaded those files. The results are summarized by the file name and the users who downloaded it.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
Office365,OneDrive,SharePoint,Users,FileName
Operators
let|where>ago==distinctinsummarizemake_setby