KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Parse Malicious File Infoand Find Device Events

Query

//When Defender for Office 365 removes a malicious file from an email track down all device events with the same file hash

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - M365 Defender - Email* tables

let filehashes=
SecurityAlert
| where TimeGenerated > ago (7d)
| where ProviderName == "OATP"
| where AlertName == "Email messages containing malicious file removed after delivery​"
| mv-expand todynamic(Entities)
| extend Files = Entities.Files
| project Files
| mv-expand Files
| extend FileHashes = Files.FileHashes
| mv-expand FileHashes
| extend FileHash = tolower(tostring(FileHashes.Value))
| where isnotempty( FileHash)
| distinct FileHash;
DeviceFileEvents
    | where TimeGenerated > ago(7d)
    | project
        TimeGenerated,
        ActionType,
        FileName,
        DeviceName,
        SHA256,
        InitiatingProcessAccountUpn 
| where SHA256 in (filehashes)

Explanation

This query is looking for device events that are related to a malicious file that was removed from an email by Defender for Office 365. It first retrieves the file hashes of the malicious files from the SecurityAlert table, then searches for device events in the DeviceFileEvents table that have the same file hash. The query looks at events from the past 7 days and retrieves information such as the time of the event, the action taken, the file name, the device name, the SHA256 hash, and the account associated with the process that initiated the event.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlertDeviceFileEvents

Keywords

Devices,Intune,User

Operators

agowheremv-expandextendprojecttolowertostringisnotemptydistinctin

Actions