Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

How do I investigate data exfiltration alerts?

Brass Contributor

Hi all,


I regularly get alerts in Microsoft Defender (not Sentinel) for data exfiltration to an app that has not been sanctioned.


In the alert get a date, the local IP address, the place the data ended up (as in AWS, or Azure Blob Storage etc), and the username. The most recent alert was for data exfiltration to Facebook. The end user said she was hungover Instagram surfing on her mobile phone, which doesn’t explain the activity being on her laptop.


Previously, it seems that long Teams calls may have been the culprit (if the end user is to be believed!).


However, I would like to know WHAT was uploaded, WHERE from, HOW it was uploaded (e.g., using Teams, OneDrive, etc.) and HOW MUCH data was uploaded. 


Does anyone have any ideas on the best way to do this?


I am looking at a KQL query that maybe ties together DeviceNetworkEvents and DeviceEvents. Does that sound right? 

I tried looking at the device timeline for the end user’s laptop and I can find the RemoteIP but I can’t clearly see what the upload activity was. 


Or would I be better using the Cloud Apps search queries? 

2 Replies

@GI472 Take a look at this link, the second comment. The commenter used hunting query to audit the exfiltration. Data exfiltration to unsanctioned app - Microsoft Community Hub


I'm going to give it a shot myself! 

Hi @dchevalier,

I tried the query and no joy. I don’t think it’s a file or files triggering it, I think it might just be a lot of data when scrolling or just browsing.

The activity log under MCAS was no use either.
I know there is the Zeek integration in the CloudAppEvents table so now I’m thinking I can try and parse/extend the RawEventData or ActivityObject columns to search.