KQL Search

Query Details

14 NI Auth Bulk Data Download

Query

id: b9c5d7e8-f3a4-6b0c-1d2e-3f4a5b6c7d8e
name: Non-Interactive Auth Followed by Bulk Data Download
description: |
  Community rule by David Alonso (https://github.com/davidalonsod/Dalonso-Security-Repo). Licensed under The Unlicense.

  Detects when a user silently refreshes an OAuth token and then performs bulk file
  downloads or access operations in SharePoint/OneDrive within the same period.
  This correlation identifies data exfiltration via applications that obtained persistent
  access through non-interactive authentication flows.
  MITRE ATT&CK: T1048 (Exfiltration Over Alternative Protocol), T1213 (Data from Information Repositories)
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AADNonInteractiveUserSignInLogs
- connectorId: Office365
  dataTypes:
  - OfficeActivity
queryFrequency: PT1H
queryPeriod: PT2H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Exfiltration
- Collection
relevantTechniques:
- T1048
- T1213
query: |
  let SilentAuthUsers =
      AADNonInteractiveUserSignInLogs
      | invoke ExcludeAllowlistedIPs_AADNI()
      | where TimeGenerated > ago(2h)
      | where ResultType == 0
      | summarize SilentSignIns = count(), LastNI = max(TimeGenerated)
        by UserPrincipalName;
  OfficeActivity
  | where TimeGenerated > ago(2h)
  | where Operation in (
      "FileDownloaded", "FileSyncDownloadedFull",
      "SearchQueryPerformed", "FileAccessed"
    )
  // Suppress activity from trusted/allowlisted IPs. The download ClientIP must be
  // checked too - filtering only the silent-auth IP still lets downloads from an
  // allowlisted IP trigger the rule.
  | extend IPAddress = ClientIP
  | invoke ExcludeAllowlistedIPs_AADNI()
  | summarize
      OpCount    = count(),
      FileCount  = dcount(SourceFileName),
      Operations = make_set(Operation),
      ClientIP   = tostring(make_set(ClientIP)[0])
    by UserId
  | where OpCount > 50
  | join kind=inner SilentAuthUsers on $left.UserId == $right.UserPrincipalName
  | project
      UserPrincipalName = UserId,
      OperationCount    = OpCount,
      UniqueFiles       = FileCount,
      Operations,
      SilentSignIns,
      ClientIP
  | order by OperationCount desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
alertDetailsOverride:
  alertDisplayNameFormat: 'Data Exfiltration Risk - {{UserPrincipalName}} downloaded {{UniqueFiles}} files after silent auth'
  alertDescriptionFormat: 'User {{UserPrincipalName}} performed {{OperationCount}} file operations ({{UniqueFiles}} unique files) in SharePoint/OneDrive after a silent auth. Possible data exfiltration.'
customDetails:
  OperationCount: OperationCount
  UniqueFiles: UniqueFiles
  SilentSignIns: SilentSignIns
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Community
- David Alonso
- Threat Hunting

Explanation

This query is designed to detect potential data exfiltration activities in Microsoft environments, specifically focusing on SharePoint and OneDrive. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies when a user refreshes an OAuth token without user interaction (silent authentication) and subsequently performs a large number of file downloads or access operations. This pattern can indicate that an application with persistent access is being used to exfiltrate data.

  2. Data Sources: It uses logs from Azure Active Directory (AAD) for non-interactive user sign-ins and Office 365 activity logs to track file operations.

  3. Detection Logic:

    • It first identifies users who have performed silent authentications within the last two hours.
    • It then checks for users who have performed more than 50 file operations (downloads, syncs, searches, or accesses) in SharePoint or OneDrive within the same timeframe.
    • The query excludes activities from trusted IP addresses to reduce false positives.
    • It correlates the two datasets to find users who match both criteria.

  4. Alerting:

    • If such activity is detected, an alert is generated with details about the user, the number of operations, and the unique files involved.
    • The alert is classified as high severity due to the potential risk of data exfiltration.

  5. Configuration:

    • The query runs every hour and looks back over the past two hours.
    • It creates incidents for detected activities, grouping them by user account for better incident management.

  6. MITRE ATT&CK Framework: The query maps to specific techniques related to data exfiltration and collection, namely T1048 (Exfiltration Over Alternative Protocol) and T1213 (Data from Information Repositories).

Overall, this query is part of a threat-hunting effort to proactively identify and mitigate risks associated with unauthorized data access and exfiltration in cloud environments.

Details

David Alonso profile picture

David Alonso

Released: June 12, 2026

Tables

AADNonInteractiveUserSignInLogsOfficeActivity

Keywords

AzureActiveDirectoryAADNonInteractiveUserSignInLogsOffice365OfficeActivityUserSharePointOneDriveFileDownloadedFileSyncDownloadedFullSearchQueryPerformedFileAccessedClientIPUserPrincipalName

Operators

letinvokewheresummarizeinextendjoinonprojectorder bydescagomaxcountdcountmake_settostring

Actions