Query Details
Office Activity Malware File In Share Point
Query
let _BenignFilesRegex = toscalar(
_GetWatchlist('Activity-ExpectedSignificantActivity')
| where Activity == "SharePointFileMalwareDetected"
| summarize RegEx = make_list(Auxiliar)
| project RegEx = strcat(@'^(', strcat_array(RegEx, '|'), @')$')
);
OfficeActivity
| where Operation == "FileMalwareDetected"
| extend AlertSeverity = case(
SourceFileName matches regex _BenignFilesRegex, "Informational",
"Medium"
)
| project
TimeGenerated,
Operation,
Site_Url,
SourceFileName,
SourceFileExtension,
ContainerUrl = strcat(Site_Url, SourceRelativeUrl),
OfficeObjectId,
AlertSeverity
Explanation
This query is looking for Office activity related to file malware detection. It first retrieves a list of regular expressions from a watchlist called "Activity-ExpectedSignificantActivity" that are associated with SharePoint file malware detection. It then uses these regular expressions to determine the severity of the alert for each detected file. If the source file name matches any of the regular expressions, the alert severity is set to "Informational", otherwise it is set to "Medium". The query then projects various properties of the detected files along with the alert severity.
Details
Jose Sebastián Canós
Released: September 29, 2022
Tables
OfficeActivity
Keywords
OfficeActivity,Operation,FileMalwareDetected,SourceFileName,SourceFileExtension,Site_Url,SourceRelativeUrl,ContainerUrl,OfficeObjectId,AlertSeverity
Operators
toscalar_GetWatchlistwheresummarizemake_listprojectstrcat|extendcasematches regexTimeGeneratedOperationSite_UrlSourceFileNameSourceFileExtensionContainerUrlSourceRelativeUrlOfficeObjectIdAlertSeverity