KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious File Extension Upload To Office 365

Query

let SusFileExtensions = externaldata(Extension: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/SuspiciousFileExtensions.txt"] with (format="txt", ignoreFirstRecord=False); 
OfficeActivity
| where TimeGenerated > ago(90d)
| where Operation == "FileUploaded" or Operation == "FileDownloaded"
| where SourceFileExtension has_any(SusFileExtensions)
| summarize count() by SourceFileExtension, SourceFileName

Explanation

This query is designed to analyze OfficeActivity logs to identify potentially suspicious file uploads and downloads based on their file extensions. Here's a simple breakdown of what it does:

  1. Define Suspicious Extensions: It starts by loading a list of suspicious file extensions from an external text file hosted on GitHub.

  2. Filter Office Activities: It looks at Office activities from the last 90 days (TimeGenerated > ago(90d)) and focuses on operations where files were either uploaded or downloaded (Operation == "FileUploaded" or Operation == "FileDownloaded").

  3. Check for Suspicious Extensions: It filters these activities to find files with extensions that match any of those in the suspicious list (SourceFileExtension has_any(SusFileExtensions)).

  4. Summarize Results: Finally, it counts the occurrences of each suspicious file extension and groups the results by the file extension and file name (summarize count() by SourceFileExtension, SourceFileName).

In summary, this query helps identify and count potentially suspicious file transfers based on a predefined list of file extensions.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

OfficeActivity

Keywords

OfficeActivitySourceFileExtensionSourceFileNameTimeGeneratedOperation

Operators

letexternaldatawithwhere>ago==orhas_anysummarizeby

Actions