Data exfiltration to unsanctioned app

Contributor

Hi,

 

We got an alert and some uploaded some files to gdrive and the alert only tels me that the amount of data has been uploaded but is there any way to just know what exactly he uploaded? I mean like file names etc..

Thanks.

Gabor

4 Replies

@gabormicskei I have the exact same question. Did you ever get this answered? 

@DCoombe460 

I used advanced hunting query in sec center:

DeviceFileEvents  | where DeviceName contains "DeviceName" 
and Timestamp between (datetime(2020-01-01) .. datetime(2020-01-01))
and FolderPath contains "google"
This worked for me.
 
Thanks @gabormicskei. That's exactly what I'm looking for.
Hello @gabormicskei
I get the same alerts regarding Twillio.
There are not too many alerts generated so I have modified your query to DeviceFileEvents | where FolderPath contains "Twilio" but I can not find the end-user who triggered the alert.
Are they any similar queries I can use?
Balys