Query Details
Office Activity Malware Detected
Query
//Alerts when a file believed to be malware is uploaded to your Office 365 tenant in SharePoint or OneDrive
//Data connector required for this query - Office 365
OfficeActivity
| where TimeGenerated > ago(30d)
| where Operation == "FileMalwareDetected"
| project
TimeGenerated,
OfficeWorkload,
['File Name']=SourceFileName,
['File Location']=OfficeObjectId,
['Relative File URL']=SourceRelativeUrl,
ClientIP
Explanation
This query looks for any files that are believed to be malware and have been uploaded to your Office 365 tenant in SharePoint or OneDrive. It uses the OfficeActivity data connector and filters the results to show only events that occurred within the last 30 days. The query retrieves information such as the time the event occurred, the Office workload (SharePoint or OneDrive), the file name, the file location, the relative file URL, and the client IP address.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
OfficeActivity,TimeGenerated,Operation,FileMalwareDetected,OfficeWorkload,FileName,SourceFileName,FileLocation,OfficeObjectId,RelativeFileURL,SourceRelativeUrl,ClientIP
Operators
where>ago==project