Skip to content

Latest commit

 

History

History
39 lines (32 loc) · 1.54 KB

FileContainingMalwareDetected.md

File metadata and controls

39 lines (32 loc) · 1.54 KB

File that contains malware detected by Defender For Cloud Apps

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1204.002 User Execution: Malicious File https://attack.mitre.org/techniques/T1204/002/

Description

This query lists the FileMalwareDetected based on the uploaded content to your cloud applications (such as OneDrive, SharePoint). This activity does not always raise an alert.

Risk

A user uploaded a malicious executable into your cloud storage, others might execute this as they trust the internal cloud storage.

References

Defender XDR

CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder Timestamp, Application, VirusInfo, ObjectName, FileName, VirusVendor

Sentinel

CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder TimeGenerated, Application, VirusInfo, ObjectName, FileName, VirusVendor