KQL Search

Query Details

HomeAI ToolsDevice Query

Purview DLP Teams Alert Info

Query

let alert_id = "<<<>>>";
let query_period = 1d;
let internet_message_ids = toscalar(
    AlertEvidence
    | where Timestamp > ago(query_period)
    | where AlertId == strcat("dl", alert_id) and EntityType == "MailMessage"
    | extend AdditionalFields = todynamic(AdditionalFields)
    | summarize make_set(AdditionalFields["InternetMessageId"])// Unix Time
);
CloudAppEvents
| where Timestamp > ago(query_period)
| where ActionType == "AlertTriggered" and tostring(RawEventData["AlertId"]) == alert_id
| extend
    AlertId = tostring(RawEventData["AlertId"]),
    Data = todynamic(tostring(RawEventData["Data"]))
| extend
    UserPrincipalName = tolower(tostring(Data["f3u"])),
    Severity = tostring(Data["sev"]),
    Workload = tostring(Data["wl"]),
    SensitiveInformationContentType = split(tostring(Data["sict"]), ";"),
    SensitiveInformationTypeMatchInfo = split(tostring(Data["sitmi"]), ";")
| where Workload == "MicrosoftTeams" and tostring(RawEventData["Category"]) == "DataLossPrevention"
| project
    Timestamp,
    Application,
    ActionType,
    AlertId,
    UserPrincipalName,
    Severity,
    Workload,
    SensitiveInformationContentType,
    SensitiveInformationTypeMatchInfo,
    AlertTriggered_RawEventData = RawEventData,
    AlertTriggered_ReportId = ReportId,
    InternetMessageIds = internet_message_ids// Unix Time
| lookup kind=leftouter (
    CloudAppEvents
    | where Timestamp > ago(query_period)
    | where ActionType == "AlertEntityGenerated" and tostring(RawEventData["AlertId"]) == alert_id
    | extend
        AlertId = tostring(RawEventData["AlertId"]),
        EntityType = tostring(RawEventData["EntityType"]),
        Data = todynamic(tostring(RawEventData["Data"]))
    | where EntityType == "DlpRuleMatch"
    | extend
        PolicyId = coalesce(tostring(Data["cid"]), tostring(Data["dpid"])),
        PolicyName = tostring(Data["dpn"]),
        ManagementRuleId = tostring(Data["dmrid"]),
        RuleId = tostring(Data["drid"]),
        RuleName = tostring(Data["drn"]),
        ProtectionActions = split(tostring(Data["dact"]), ", "),
        ObjectName = tostring(Data["von"]),
        DMC = split(tostring(Data["dmc"]), ","),
        SenderFromAddress = tostring(Data["mfrm"]),
        RecipientEmailAddress = split(tostring(Data["to"]), ",")
    | project
        AlertId,
        PolicyId,
        PolicyName,
        ManagementRuleId,
        RuleId,
        RuleName,
        DMC,
        ProtectionActions,
        ObjectName,
        SenderFromAddress,
        RecipientEmailAddress,
        AlertEntityGenerated_DlpRuleMatch_RawEventData = RawEventData,
        AlertEntityGenerated_DlpRuleMatch_ReportId = ReportId
    ) on AlertId
| project-away AlertId1

Explanation

This KQL query is designed to retrieve and correlate data related to a specific alert in Microsoft Teams, focusing on Data Loss Prevention (DLP) events. Here's a simplified breakdown:

  1. Set Variables:

    • alert_id: A specific alert identifier.
    • query_period: The time range for the query, set to 1 day.

  2. Retrieve Internet Message IDs:

    • From the AlertEvidence table, find all MailMessage entities related to the given alert_id within the last day.
    • Extract and summarize the InternetMessageId from the AdditionalFields.

  3. Retrieve Alert Triggered Events:

    • From the CloudAppEvents table, find all events where an alert was triggered (ActionType == "AlertTriggered") within the last day.
    • Filter these events to match the given alert_id.
    • Extract relevant fields such as UserPrincipalName, Severity, Workload, and sensitive information details.
    • Ensure the workload is MicrosoftTeams and the category is DataLossPrevention.

  4. Join with Alert Entity Generated Events:

    • From the CloudAppEvents table, find all events where an alert entity was generated (ActionType == "AlertEntityGenerated") within the last day.
    • Filter these events to match the given alert_id and ensure the entity type is DlpRuleMatch.
    • Extract details about the DLP rule, such as PolicyId, PolicyName, RuleId, RuleName, and other related information.
    • Perform a left outer join with the previously retrieved alert triggered events based on AlertId.

  5. Project Final Output:

    • Select and format the final set of fields to be displayed, including timestamps, application details, user information, DLP rule details, and the previously retrieved InternetMessageIds.

In summary, this query collects and correlates detailed information about a specific DLP alert in Microsoft Teams, including triggered events and related DLP rule matches, within the last day.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 19, 2024

Tables

AlertEvidenceCloudAppEvents

Keywords

CloudAppEventsAlertEvidenceMailMessageMicrosoftTeamsDataLossPrevention

Operators

lettoscalarwhereagoandstrcatextendtodynamicsummarizemake_settostringsplitprojectlookupkindleftoutercoalesceproject-away

Actions