Query Details
Purview DLP Activity File Copied To Clipboard
Query
# Microsoft Purview - DLP - File copied to clipboard
## Query Information
### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|--------------|----------------------------|---------------------------------------------------|
| T1115 | Collection: Clipboard Data | https://attack.mitre.org/techniques/T1115/ |
### Description
Use the below query to see Microsoft Purview DLP ***File copied to clipboard*** activities
#### References
- [Learn about data loss prevention](https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp)
- [Get started with activity explorer](https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer)
- [Learn about Endpoint data loss prevention](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)
### Microsoft Defender XDR
```kql
CloudAppEvents
| where ActionType == @"FileCopiedToClipboard"
| extend ObjectId = parse_json(RawEventData)["ObjectId"]
| extend Sha = parse_json(RawEventData)["Sha256"]
| extend DeviceName = parse_json(RawEventData)["DeviceName"]
| extend Application = parse_json(RawEventData)["Application"]
| extend PolicyName = parse_json(RawEventData)["PolicyMatchInfo"]["PolicyName"]
| extend TargetFilePath = parse_json(RawEventData)["TargetFilePath"]
| extend Justification = parse_json(RawEventData)["Justification"]
| project
Timestamp,
AccountId,
AccountDisplayName,
IPAddress,
DeviceName,
ObjectId,
Sha,
Application,
PolicyName,
TargetFilePath,
Justification,
RawEventData
| extend JustificationTextStr = tostring(Justification)
| extend
justification_id = extract(@"^([^_]+)", 1, JustificationTextStr),
justification_description = extract(@"^[^_]+_(.*):", 1, JustificationTextStr),
justification_comment = extract(@":(.*)$", 1, JustificationTextStr)
| project-away JustificationTextStr
| sort by Timestamp desc
```
Explanation
This query is designed to monitor and analyze activities related to files being copied to the clipboard, which is a potential data loss prevention (DLP) concern. It specifically looks for events where files are copied to the clipboard, as recorded by Microsoft Purview's DLP capabilities. Here's a simplified breakdown of what the query does:
-
Source of Data: The query pulls data from
CloudAppEvents, which logs various actions related to cloud applications. -
Filter Criteria: It filters the events to only include those where the action type is "FileCopiedToClipboard". This means it focuses on instances where files are copied to the clipboard, a common method for data exfiltration.
-
Data Extraction: The query extracts several pieces of information from the raw event data:
ObjectId: The identifier of the object (file) involved.Sha: The SHA-256 hash of the file, which uniquely identifies it.DeviceName: The name of the device from which the file was copied.Application: The application used to perform the action.PolicyName: The name of the DLP policy that was triggered.TargetFilePath: The file path of the copied file.Justification: Any justification provided for the action.
-
Data Presentation: The query projects (selects) specific fields to display, including timestamps, account information, IP address, and the extracted details mentioned above.
-
Justification Parsing: It further processes the
Justificationfield to break it down into:justification_id: An identifier for the justification.justification_description: A description of the justification.justification_comment: Any additional comments provided.
-
Sorting: Finally, the results are sorted by the timestamp in descending order, showing the most recent events first.
Overall, this query helps security analysts track and investigate potential data leakage incidents where files are copied to the clipboard, providing detailed context about each event.
Details
Alex Verboon
Released: May 11, 2025
Tables
Keywords
Operators