How to generate hash (SHA256) of file from Sharepoint or Onedrive using Microsoft Defender for Cloud

Copper Contributor

In an organization's Microsoft Defender for Cloud Apps, is it possible to generate file hash of a certain file located in Microsoft SharePoint Online or Onedrive by using Advanced Hunting?

The sample query I found is pasted below, however, I don't know how to incorporate generation of file hash (SHA256).


| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
| take 50

1 Reply


To generate the SHA256 hash of a file from SharePoint or OneDrive using Microsoft Defender for Cloud (previously known as Microsoft Defender Advanced Threat Protection), you can utilize the Microsoft Graph API. Here's an outline of the steps involved:

  1. Set up an application in Azure AD: To access the Microsoft Graph API, you'll need to register an application in Azure Active Directory (AD) and obtain the necessary credentials (client ID and client secret). This step requires administrative access to Azure AD.

  2. Obtain an access token: Using the client credentials (client ID and client secret) obtained in the previous step, you'll need to authenticate and obtain an access token for your application. This token will be used to authorize requests to the Microsoft Graph API.

  3. Build the API request: Construct a request to the Microsoft Graph API to retrieve the file content. The API endpoint you'll use is GET /sites/{site-id}/drive/items/{item-id}/content. Replace {site-id} with the ID of the SharePoint site or OneDrive, and {item-id} with the ID of the file you want to calculate the hash for.

  4. Calculate the SHA256 hash: Once you have retrieved the file content, you can use a suitable library or function in your programming language to calculate the SHA256 hash of the file data.

Here's an example of how you might accomplish this using the Microsoft Defender for Endpoint API and Python:

pythonCopy code
import requests import hashlib # Set up the API request site_id = "<your-site-id>" item_id = "<your-file-item-id>" url = f"{site_id}/drive/items/{item_id}/content" # Make the API request to retrieve the file content headers = { "Authorization": "Bearer <your-access-token>" } response = requests.get(url, headers=headers) # Calculate the SHA256 hash of the file content file_content = response.content hash_sha256 = hashlib.sha256(file_content).hexdigest() # Print the hash print("SHA256 Hash:", hash_sha256)

In the example above, make sure to replace <your-site-id>, <your-file-item-id>, and <your-access-token> with the actual values specific to your SharePoint site, file, and access token respectively.

Please note that generating the hash of a large file may require appropriate handling to avoid memory or performance issues. Additionally, ensure that you have the necessary permissions and access rights to the SharePoint or OneDrive site and file you want to retrieve the hash from.

For more details on the Microsoft Graph API and working with files in SharePoint and OneDrive, you can refer to the official Microsoft Graph documentation: