Query Details
Purview DLP Activity File Printed
Query
# Microsoft Purview - DLP - File printed
## Query Information
### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|--------------|------------------------|----------------------------------------------|
| T1005 | Collection: Data from Local System | https://attack.mitre.org/techniques/T1005/ |
### Description
Use the below query to see Microsoft Purview DLP ***File Printed*** activities
#### References
- [Learn about data loss prevention](https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp)
- [Get started with activity explorer](https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer)
- [Learn about Endpoint data loss prevention](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)
### Microsoft Defender XDR
```kql
CloudAppEvents
| where ActionType == @"FilePrinted"
| extend ObjectId = parse_json(RawEventData)["ObjectId"]
| extend Sha = parse_json(RawEventData)["Sha256"]
| extend DeviceName = parse_json(RawEventData)["DeviceName"]
| extend Application = parse_json(RawEventData)["Application"]
| extend PolicyName = parse_json(RawEventData)["PolicyMatchInfo"]["PolicyName"]
| extend TargetPrinterName = parse_json(RawEventData)["TargetPrinterName"]
| extend Justification = parse_json(RawEventData)["Justification"]
| project
Timestamp,
AccountId,
AccountDisplayName,
IPAddress,
DeviceName,
ObjectId,
Sha,
Application,
PolicyName,
TargetPrinterName,
Justification,
RawEventData
| extend JustificationTextStr = tostring(Justification)
| extend
justification_id = extract(@"^([^_]+)", 1, JustificationTextStr),
justification_description = extract(@"^[^_]+_(.*):", 1, JustificationTextStr),
justification_comment = extract(@":(.*)$", 1, JustificationTextStr)
| project-away JustificationTextStr
| sort by Timestamp desc
```
Explanation
This query is designed to track and analyze instances where files are printed, as part of Microsoft's data loss prevention (DLP) efforts. It specifically looks at events logged by Microsoft Purview's DLP system related to file printing activities. Here's a breakdown of what the query does:
-
Data Source: It pulls data from the
CloudAppEventstable, focusing on events where the action type is "FilePrinted". -
Data Extraction: The query extracts specific details from the raw event data, such as:
ObjectId: The identifier of the file.Sha: The SHA-256 hash of the file.DeviceName: The name of the device from which the file was printed.Application: The application used to print the file.PolicyName: The name of the DLP policy that was triggered.TargetPrinterName: The name of the printer used.Justification: Any justification provided for printing the file.
-
Data Projection: It selects and displays relevant fields like timestamp, account details, IP address, device name, file details, application, policy name, printer name, and justification.
-
Justification Parsing: The query further breaks down the justification into three parts:
justification_id: An identifier extracted from the justification text.justification_description: A description extracted from the justification text.justification_comment: Any additional comments provided in the justification.
-
Sorting: Finally, it sorts the results by the timestamp in descending order, showing the most recent events first.
Overall, this query helps security teams monitor and investigate file printing activities that may pose a risk of data loss, by providing detailed insights into each printing event and the associated justifications.
Details
Alex Verboon
Released: May 11, 2025
Tables
Keywords
Operators