cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I investigate data exfiltration alerts?

GI472
Brass Contributor

‎Feb 25 2024 09:16 PM

‎Feb 25 2024 09:16 PM

How do I investigate data exfiltration alerts?

Hi all,

 

I regularly get alerts in Microsoft Defender (not Sentinel) for data exfiltration to an app that has not been sanctioned.

 

In the alert get a date, the local IP address, the place the data ended up (as in AWS, or Azure Blob Storage etc), and the username. The most recent alert was for data exfiltration to Facebook. The end user said she was hungover Instagram surfing on her mobile phone, which doesn’t explain the activity being on her laptop.

 

Previously, it seems that long Teams calls may have been the culprit (if the end user is to be believed!).

 

However, I would like to know WHAT was uploaded, WHERE from, HOW it was uploaded (e.g., using Teams, OneDrive, etc.) and HOW MUCH data was uploaded. 

 

Does anyone have any ideas on the best way to do this?

 

I am looking at a KQL query that maybe ties together DeviceNetworkEvents and DeviceEvents. Does that sound right? 

I tried looking at the device timeline for the end user’s laptop and I can find the RemoteIP but I can’t clearly see what the upload activity was. 

 

Or would I be better using the Cloud Apps search queries? 

1,463 Views
0 Likes
2 Replies
Reply
2 Replies
dchevalier

‎Feb 27 2024 04:43 AM

‎Feb 27 2024 04:43 AM

Re: How do I investigate data exfiltration alerts?

@GI472 Take a look at this link, the second comment. The commenter used hunting query to audit the exfiltration. Data exfiltration to unsanctioned app - Microsoft Community Hub

 

I'm going to give it a shot myself! 

0 Likes
Reply
GI472

‎Feb 29 2024 12:14 AM

‎Feb 29 2024 12:14 AM

Re: How do I investigate data exfiltration alerts?

Hi @dchevalier,

I tried the query and no joy. I don’t think it’s a file or files triggering it, I think it might just be a lot of data when scrolling or just browsing.

The activity log under MCAS was no use either.
I know there is the Zeek integration in the CloudAppEvents table so now I’m thinking I can try and parse/extend the RawEventData or ActivityObject columns to search.
0 Likes
Reply