Feb 25 2024 09:16 PM
Hi all,
I regularly get alerts in Microsoft Defender (not Sentinel) for data exfiltration to an app that has not been sanctioned.
In the alert get a date, the local IP address, the place the data ended up (as in AWS, or Azure Blob Storage etc), and the username. The most recent alert was for data exfiltration to Facebook. The end user said she was hungover Instagram surfing on her mobile phone, which doesn’t explain the activity being on her laptop.
Previously, it seems that long Teams calls may have been the culprit (if the end user is to be believed!).
However, I would like to know WHAT was uploaded, WHERE from, HOW it was uploaded (e.g., using Teams, OneDrive, etc.) and HOW MUCH data was uploaded.
Does anyone have any ideas on the best way to do this?
I am looking at a KQL query that maybe ties together DeviceNetworkEvents and DeviceEvents. Does that sound right?
I tried looking at the device timeline for the end user’s laptop and I can find the RemoteIP but I can’t clearly see what the upload activity was.
Or would I be better using the Cloud Apps search queries?
Feb 27 2024 04:43 AM
@GI472 Take a look at this link, the second comment. The commenter used hunting query to audit the exfiltration. Data exfiltration to unsanctioned app - Microsoft Community Hub
I'm going to give it a shot myself!
Feb 29 2024 12:14 AM