Suspicious File Extension Upload To Office 365
Query
let SusFileExtensions = externaldata(Extension: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/SuspiciousFileExtensions.txt"] with (format="txt", ignoreFirstRecord=False);
OfficeActivity
| where TimeGenerated > ago(90d)
| where Operation == "FileUploaded" or Operation == "FileDownloaded"
| where SourceFileExtension has_any(SusFileExtensions)
| summarize count() by SourceFileExtension, SourceFileNameExplanation
This query is designed to analyze OfficeActivity logs to identify potentially suspicious file uploads and downloads based on their file extensions. Here's a simple breakdown of what it does:
-
Define Suspicious Extensions: It starts by loading a list of suspicious file extensions from an external text file hosted on GitHub.
-
Filter Office Activities: It looks at Office activities from the last 90 days (
TimeGenerated > ago(90d)) and focuses on operations where files were either uploaded or downloaded (Operation == "FileUploaded"orOperation == "FileDownloaded"). -
Check for Suspicious Extensions: It filters these activities to find files with extensions that match any of those in the suspicious list (
SourceFileExtension has_any(SusFileExtensions)). -
Summarize Results: Finally, it counts the occurrences of each suspicious file extension and groups the results by the file extension and file name (
summarize count() by SourceFileExtension, SourceFileName).
In summary, this query helps identify and count potentially suspicious file transfers based on a predefined list of file extensions.
Details

Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators