Forum Discussion

gabormicskei's avatar
gabormicskei
Brass Contributor
Jul 17, 2020

Data exfiltration to unsanctioned app

Hi,

 

We got an alert and some uploaded some files to gdrive and the alert only tels me that the amount of data has been uploaded but is there any way to just know what exactly he uploaded? I mean like file names etc..

Thanks.

Gabor

    • gabormicskei's avatar
      gabormicskei
      Brass Contributor

      DCoombe460 

      I used advanced hunting query in sec center:

      DeviceFileEvents  | where DeviceName contains "DeviceName" 
      and Timestamp between (datetime(2020-01-01) .. datetime(2020-01-01))
      and FolderPath contains "google"
      This worked for me.
       
      • BalysR's avatar
        BalysR
        Copper Contributor
        Hello gabormicskei
        I get the same alerts regarding Twillio.
        There are not too many alerts generated so I have modified your query to DeviceFileEvents | where FolderPath contains "Twilio" but I can not find the end-user who triggered the alert.
        Are they any similar queries I can use?
        Balys

Resources