Query Details

Non-Interactive Auth Followed by Bulk Data Download

14 NI Auth Bulk Data Download

Query

let SilentAuthUsers =
    AADNonInteractiveUserSignInLogs
    | invoke ExcludeAllowlistedIPs_AADNI()
    | where TimeGenerated > ago(2h)
    | where ResultType == 0
    | summarize SilentSignIns = count(), LastNI = max(TimeGenerated)
      by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(2h)
| where Operation in (
    "FileDownloaded", "FileSyncDownloadedFull",
    "SearchQueryPerformed", "FileAccessed"
  )
// Suppress activity from trusted/allowlisted IPs. The download ClientIP must be
// checked too - filtering only the silent-auth IP still lets downloads from an
// allowlisted IP trigger the rule.
| extend IPAddress = ClientIP
| invoke ExcludeAllowlistedIPs_AADNI()
| summarize
    OpCount    = count(),
    FileCount  = dcount(SourceFileName),
    Operations = make_set(Operation),
    ClientIP   = tostring(make_set(ClientIP)[0])
  by UserId
| where OpCount > 50
| join kind=inner SilentAuthUsers on $left.UserId == $right.UserPrincipalName
| project
    UserPrincipalName = UserId,
    OperationCount    = OpCount,
    UniqueFiles       = FileCount,
    Operations,
    SilentSignIns,
    ClientIP
| order by OperationCount desc

Explanation

This query is designed to detect potential data exfiltration activities in Microsoft environments, specifically focusing on SharePoint and OneDrive. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies when a user refreshes an OAuth token without user interaction (silent authentication) and subsequently performs a large number of file downloads or access operations. This pattern can indicate that an application with persistent access is being used to exfiltrate data.

  2. Data Sources: It uses logs from Azure Active Directory (AAD) for non-interactive user sign-ins and Office 365 activity logs to track file operations.

  3. Detection Logic:

    • It first identifies users who have performed silent authentications within the last two hours.
    • It then checks for users who have performed more than 50 file operations (downloads, syncs, searches, or accesses) in SharePoint or OneDrive within the same timeframe.
    • The query excludes activities from trusted IP addresses to reduce false positives.
    • It correlates the two datasets to find users who match both criteria.
  4. Alerting:

    • If such activity is detected, an alert is generated with details about the user, the number of operations, and the unique files involved.
    • The alert is classified as high severity due to the potential risk of data exfiltration.
  5. Configuration:

    • The query runs every hour and looks back over the past two hours.
    • It creates incidents for detected activities, grouping them by user account for better incident management.
  6. MITRE ATT&CK Framework: The query maps to specific techniques related to data exfiltration and collection, namely T1048 (Exfiltration Over Alternative Protocol) and T1213 (Data from Information Repositories).

Overall, this query is part of a threat-hunting effort to proactively identify and mitigate risks associated with unauthorized data access and exfiltration in cloud environments.

Details

David Alonso profile picture

David Alonso

Released: June 12, 2026

Tables

AADNonInteractiveUserSignInLogsOfficeActivity

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsOffice365OfficeActivityUserSharePointOneDriveFileDownloadedFileSyncDownloadedFullSearchQueryPerformedFileAccessedClientIPUserPrincipalName

Operators

letinvokewheresummarizeinextendjoinonprojectorder bydescagomaxcountdcountmake_settostring

Severity

High

Tactics

ExfiltrationCollection

MITRE Techniques

Frequency: PT1H

Period: PT2H

Actions

GitHub