KQL for files uploaded to cloud

Page content

This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention

M365 has a Activity Explorer GUI for exploring activity around files. If the files have been classified using Office365 sensitivity labels you can focus on your most sensitive documents. This interface is fine for a demo but you’re unable to save the searches and filters for reuse and you’ll want to filter out ’normal’ approved activity. To create your own custom reports, based on the data behind Activity Explorer, there is the cloudappevents table within M365 Defender for Endpoint Advanced Hunting. Here you can build KQL queries to drill down into the data.

KQL to find and report on sensitive files uploaded to cloud

The following KQL expands the JSON detail within cloudappevents and translates the Office365 Sensitivity label GUIs back to their friendly names.

Find more IT Infrastructure tips at blog.alexmags.com