Query Details
XDR 1 Data Security Behaviors High Severity
Query
DataSecurityEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileUploadedToCloud","FileCopiedToRemovableMedia",
"FilePrinted","FileSentInEmail","FileSharedExternally",
"FileDownloadedFromSharePoint","FileSyncedToPersonalCloud")
| summarize Events=count(),
Files=dcount(ObjectId),
Apps=make_set(ApplicationNames, 5),
Workloads=make_set(Workload, 5),
FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
by AccountUpn, ActionType
| where Files >= 10 or Events >= 25
| order by Events descExplanation
This query is analyzing data security events over the past week to identify potentially risky activities related to file handling. Here's a breakdown of what it does:
-
Filter by Time: It looks at events that have occurred in the last 7 days.
-
Filter by Action Type: It focuses on specific actions that involve files, such as uploading files to the cloud, copying to removable media, printing, sending in emails, sharing externally, downloading from SharePoint, and syncing to personal cloud storage.
-
Summarize Data: For each user (identified by
AccountUpn) and action type, it calculates:- The total number of events (
Events). - The distinct count of files involved (
Files). - A set of up to 5 different applications used (
Apps). - A set of up to 5 different workloads involved (
Workloads). - The first and last time the action was seen (
FirstSeenandLastSeen).
- The total number of events (
-
Filter for Significant Activity: It only keeps records where there are at least 10 distinct files involved or at least 25 events.
-
Order Results: Finally, it orders the results by the number of events in descending order, highlighting the most active or potentially risky users and actions first.
In simple terms, this query is used to monitor and identify users who have been involved in significant file-related activities that might pose a security risk, focusing on those with high activity levels.
Details
David Alonso
Released: May 25, 2026
Tables
Keywords
Operators