Forum Discussion
gabormicskei
Jul 17, 2020Brass Contributor
Data exfiltration to unsanctioned app
Hi,
We got an alert and some uploaded some files to gdrive and the alert only tels me that the amount of data has been uploaded but is there any way to just know what exactly he uploaded? I mean like file names etc..
Thanks.
Gabor
- DCoombe460Copper Contributor
gabormicskei I have the exact same question. Did you ever get this answered?
- gabormicskeiBrass Contributor
I used advanced hunting query in sec center:
DeviceFileEvents | where DeviceName contains "DeviceName"and Timestamp between (datetime(2020-01-01) .. datetime(2020-01-01))and FolderPath contains "google"This worked for me.- BalysRCopper ContributorHello gabormicskei
I get the same alerts regarding Twillio.
There are not too many alerts generated so I have modified your query to DeviceFileEvents | where FolderPath contains "Twilio" but I can not find the end-user who triggered the alert.
Are they any similar queries I can use?
Balys