File that contains malware detected by Defender For Cloud Apps
File Containing Malware Detected
Query
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder Timestamp, Application, VirusInfo, ObjectName, FileName, VirusVendorAbout this query
File that contains malware detected by Defender For Cloud Apps
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ |
Description
This query lists the FileMalwareDetected based on the uploaded content to your cloud applications (such as OneDrive, SharePoint). This activity does not always raise an alert.
Risk
A user uploaded a malicious executable into your cloud storage, others might execute this as they trust the internal cloud storage.
References
Defender XDR
Sentinel
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder TimeGenerated, Application, VirusInfo, ObjectName, FileName, VirusVendor
Explanation
This query is designed to identify files containing malware that have been detected by Defender for Cloud Apps in your cloud storage services, such as OneDrive or SharePoint. The query specifically looks for events where a file has been flagged as containing malware, indicated by the action type "FileMalwareDetected."
Here's a simple breakdown of what the query does:
-
Data Source: It searches through the
CloudAppEventsdata, which logs activities related to cloud applications. -
Filter: It filters the events to only include those where a file has been detected with malware (
ActionType == "FileMalwareDetected"). -
Extract Information: It extracts specific details from the raw event data, including:
FileName: The name of the file that was detected with malware.SiteUrl: The URL of the site where the file is stored.VirusVendor: The vendor that identified the malware.VirusInfo: Information about the detected malware.
-
Output: It organizes the output to display the timestamp, application, virus information, object name, file name, and virus vendor in a specific order for easier analysis.
The query helps in identifying potentially harmful files uploaded to your cloud storage, which could pose a risk if other users trust and execute these files.
