KQL for files uploaded to cloud
This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention
Activity Explorer
M365 has a Activity Explorer GUI for exploring activity around files. If the files have been classified using Office365 sensitivity labels you can focus on your most sensitive documents. This interface is fine for a demo but you’re unable to save your searches and filters for reuse and you’ll want to filter out ’normal’ approved activity. You can export Activity Explorer data with the Export-ActivityExplorerData cmdlet. Have a look at https://aka.ms/KD-ActivityExplorer.
Defender advanced hunting cloudappevents table
To create your own custom reports, based on the data behind Activity Explorer, there is the cloudappevents table within M365 Defender for Endpoint Advanced Hunting. Here you can build KQL queries to drill down into the data.
KQL to find and report on sensitive files uploaded to cloud
The following KQL expands the JSON detail within cloudappevents and translates the Office365 Sensitivity label GUIs back to their friendly names.
Find more IT Infrastructure tips at blog.alexmags.com