File that contains malware detected by Defender For Cloud Apps

# File that contains malware detected by Defender For Cloud Apps

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ |

#### Description
This query lists the *FileMalwareDetected* based on the uploaded content to your cloud applications (such as OneDrive, SharePoint). This activity does not always raise an alert.

#### Risk
A user uploaded a malicious executable into your cloud storage, others might execute this as they trust the internal cloud storage.

#### References
- https://samilamppu.com/2022/05/04/deep-diver-defender-for-cloud-apps-malware-detection-in-office-365-workloads/

## Defender XDR
```KQL
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder Timestamp, Application, VirusInfo, ObjectName, FileName, VirusVendor
```
## Sentinel
```KQL
CloudAppEvents
| where ActionType == "FileMalwareDetected"
| extend FileName = parse_json(RawEventData).['SourceFileName']
| extend SiteUrl = parse_json(RawEventData).['SiteUrl']
| extend VirusVendor = parse_json(RawEventData).['VirusVendor']
| extend VirusInfo = parse_json(RawEventData).['VirusInfo']
| project-reorder TimeGenerated, Application, VirusInfo, ObjectName, FileName, VirusVendor
```