Forum Discussion

gabormicskei's avatar
gabormicskei
Brass Contributor
Jul 17, 2020

Data exfiltration to unsanctioned app

Hi,   We got an alert and some uploaded some files to gdrive and the alert only tels me that the amount of data has been uploaded but is there any way to just know what exactly he uploaded? I mean ...
microsoft defender for cloud apps
DCoombe460's avatar
DCoombe460
Copper Contributor
Apr 22, 2021

gabormicskei I have the exact same question. Did you ever get this answered? 

  • gabormicskei's avatar
    gabormicskei
    Brass Contributor
    Apr 22, 2021

    DCoombe460 

    I used advanced hunting query in sec center:

    DeviceFileEvents  | where DeviceName contains "DeviceName" 
    and Timestamp between (datetime(2020-01-01) .. datetime(2020-01-01))
    and FolderPath contains "google"
    This worked for me.
     
    • BalysR's avatar
      BalysR
      Copper Contributor
      Mar 23, 2022
      Hello gabormicskei
      I get the same alerts regarding Twillio.
      There are not too many alerts generated so I have modified your query to DeviceFileEvents | where FolderPath contains "Twilio" but I can not find the end-user who triggered the alert.
      Are they any similar queries I can use?
      Balys
    • DCoombe460's avatar
      DCoombe460
      Copper Contributor
      Apr 23, 2021
      Thanks gabormicskei. That's exactly what I'm looking for.

Resources