Non-Interactive Auth Followed by Bulk Data Download
14 NI Auth Bulk Data Download
Query
let SilentAuthUsers =
AADNonInteractiveUserSignInLogs
| invoke ExcludeAllowlistedIPs_AADNI()
| where TimeGenerated > ago(2h)
| where ResultType == 0
| summarize SilentSignIns = count(), LastNI = max(TimeGenerated)
by UserPrincipalName;
OfficeActivity
| where TimeGenerated > ago(2h)
| where Operation in (
"FileDownloaded", "FileSyncDownloadedFull",
"SearchQueryPerformed", "FileAccessed"
)
// Suppress activity from trusted/allowlisted IPs. The download ClientIP must be
// checked too - filtering only the silent-auth IP still lets downloads from an
// allowlisted IP trigger the rule.
| extend IPAddress = ClientIP
| invoke ExcludeAllowlistedIPs_AADNI()
| summarize
OpCount = count(),
FileCount = dcount(SourceFileName),
Operations = make_set(Operation),
ClientIP = tostring(make_set(ClientIP)[0])
by UserId
| where OpCount > 50
| join kind=inner SilentAuthUsers on $left.UserId == $right.UserPrincipalName
| project
UserPrincipalName = UserId,
OperationCount = OpCount,
UniqueFiles = FileCount,
Operations,
SilentSignIns,
ClientIP
| order by OperationCount descExplanation
This query is designed to detect potential data exfiltration activities in Microsoft environments, specifically focusing on SharePoint and OneDrive. Here's a simple breakdown of what it does:
-
Purpose: The query identifies when a user refreshes an OAuth token without user interaction (silent authentication) and subsequently performs a large number of file downloads or access operations. This pattern can indicate that an application with persistent access is being used to exfiltrate data.
-
Data Sources: It uses logs from Azure Active Directory (AAD) for non-interactive user sign-ins and Office 365 activity logs to track file operations.
-
Detection Logic:
- It first identifies users who have performed silent authentications within the last two hours.
- It then checks for users who have performed more than 50 file operations (downloads, syncs, searches, or accesses) in SharePoint or OneDrive within the same timeframe.
- The query excludes activities from trusted IP addresses to reduce false positives.
- It correlates the two datasets to find users who match both criteria.
-
Alerting:
- If such activity is detected, an alert is generated with details about the user, the number of operations, and the unique files involved.
- The alert is classified as high severity due to the potential risk of data exfiltration.
-
Configuration:
- The query runs every hour and looks back over the past two hours.
- It creates incidents for detected activities, grouping them by user account for better incident management.
-
MITRE ATT&CK Framework: The query maps to specific techniques related to data exfiltration and collection, namely T1048 (Exfiltration Over Alternative Protocol) and T1213 (Data from Information Repositories).
Overall, this query is part of a threat-hunting effort to proactively identify and mitigate risks associated with unauthorized data access and exfiltration in cloud environments.
Details

David Alonso
Released: June 12, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT2H