Data exfiltration to unsanctioned app

%3CLINGO-SUB%20id%3D%22lingo-sub-1528528%22%20slang%3D%22en-US%22%3EData%20exfiltration%20to%20unsanctioned%20app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528528%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20got%20an%20alert%20and%20some%20uploaded%20some%20files%20to%20gdrive%20and%20the%20alert%20only%20tels%20me%20that%20the%20amount%20of%20data%20has%20been%20uploaded%20but%20is%20there%20any%20way%20to%20just%20know%20what%20exactly%20he%20uploaded%3F%20I%20mean%20like%20file%20names%20etc..%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3EGabor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1528528%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,

 

We got an alert and some uploaded some files to gdrive and the alert only tels me that the amount of data has been uploaded but is there any way to just know what exactly he uploaded? I mean like file names etc..

Thanks.

Gabor

3 Replies

@gabormicskei I have the exact same question. Did you ever get this answered? 

@DCoombe460 

I used advanced hunting query in sec center:

DeviceFileEvents  | where DeviceName contains "DeviceName" 
and Timestamp between (datetime(2020-01-01) .. datetime(2020-01-01))
and FolderPath contains "google"
This worked for me.
 
Thanks @gabormicskei. That's exactly what I'm looking for.