Query Details
Purview DLP Activity File Uploaded To Cloud
Query
# Microsoft Purview - DLP - File copied to Cloud
## Query Information
### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|--------------|----------------------------------------|--------------------------------------------------------|
| T1537 | Exfiltration: Transfer Data to Cloud Account | https://attack.mitre.org/techniques/T1537/ |
### Description
Use the below query to see Microsoft Purview DLP ***File copied to Cloud*** activities
#### References
- [Learn about data loss prevention](https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp)
- [Get started with activity explorer](https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer)
- [Learn about Endpoint data loss prevention](https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about)
### Microsoft Defender XDR
```kql
CloudAppEvents
| where ActionType == @"FileUploadedToCloud"
| extend ObjectId = parse_json(RawEventData)["ObjectId"]
| extend Sha = parse_json(RawEventData)["Sha256"]
| extend DeviceName = parse_json(RawEventData)["DeviceName"]
| extend Application = parse_json(RawEventData)["Application"]
| extend PolicyName = parse_json(RawEventData)["PolicyMatchInfo"]["PolicyName"]
| extend TargetUrl = parse_json(RawEventData)["TargetUrl"]
| extend TargetDomain = parse_json(RawEventData)["TargetDomain"]
| extend OriginatingDomain = parse_json(RawEventData)["OriginatingDomain"]
| extend Justification = parse_json(RawEventData)["Justification"]
| project
Timestamp,
AccountId,
AccountDisplayName,
IPAddress,
DeviceName,
ObjectId,
Sha,
Application,
PolicyName,
TargetUrl,
TargetDomain,
OriginatingDomain,
Justification,
RawEventData
//| where isnotempty( Justification)
| extend JustificationTextStr = tostring(Justification)
| extend
justification_id = extract(@"^([^_]+)", 1, JustificationTextStr),
justification_description = extract(@"^[^_]+_(.*):", 1, JustificationTextStr),
justification_comment = extract(@":(.*)$", 1, JustificationTextStr)
| project-away JustificationTextStr
| sort by Timestamp desc
```
Explanation
This query is designed to identify and analyze activities where files are copied to the cloud, which is a potential data exfiltration event. It specifically looks for events where files are uploaded to cloud services, as tracked by Microsoft Purview's Data Loss Prevention (DLP) capabilities.
Here's a simplified breakdown of what the query does:
-
Data Source: It starts by examining the
CloudAppEventstable, which contains events related to cloud applications. -
Filter: It filters the events to only include those where the action type is "FileUploadedToCloud", indicating a file was uploaded to a cloud service.
-
Extract Information: The query extracts various pieces of information from the raw event data, such as:
ObjectId: The identifier of the file.Sha: The SHA-256 hash of the file, which can be used to verify its integrity.DeviceName: The name of the device from which the file was uploaded.Application: The application used to upload the file.PolicyName: The name of the DLP policy that was triggered.TargetUrlandTargetDomain: The URL and domain where the file was uploaded.OriginatingDomain: The domain from which the upload originated.Justification: Any justification provided for the upload.
-
Project and Sort: It selects specific fields to display and sorts the results by the timestamp of the event in descending order, showing the most recent events first.
-
Justification Parsing: It further processes the justification field to separate it into an ID, description, and comment, if available.
This query is useful for security analysts who want to monitor and investigate potential data exfiltration incidents involving cloud uploads, helping them understand the context and details of each event.
Details
Alex Verboon
Released: May 11, 2025
Tables
Keywords
Operators