Forum Discussion
How do I investigate data exfiltration alerts?
Hi all, I regularly get alerts in Microsoft Defender (not Sentinel) for data exfiltration to an app that has not been sanctioned. In the alert get a date, the local IP address, the place the ...
GI472 Take a look at this link, the second comment. The commenter used hunting query to audit the exfiltration. Data exfiltration to unsanctioned app - Microsoft Community Hub
I'm going to give it a shot myself!
Hi dchevalier,
I tried the query and no joy. I don’t think it’s a file or files triggering it, I think it might just be a lot of data when scrolling or just browsing.
The activity log under MCAS was no use either.
I know there is the Zeek integration in the CloudAppEvents table so now I’m thinking I can try and parse/extend the RawEventData or ActivityObject columns to search.
I tried the query and no joy. I don’t think it’s a file or files triggering it, I think it might just be a lot of data when scrolling or just browsing.
The activity log under MCAS was no use either.
I know there is the Zeek integration in the CloudAppEvents table so now I’m thinking I can try and parse/extend the RawEventData or ActivityObject columns to search.