Query Details
Detect Sensitive And Confidential Files Sent By Email
Query
**Detect sensitive and confidential files sent by Email** To detect sensitive or confidential information sent by email from our users, I discovered that DefenderXDR is registering events when some user or services is reading files tagged or marked as sensitive. Basically, it has a "SensitiveFileRead" ActionType in the DeviceFileEvents table which indicates that a process on the monitored device has accessed a file classified as sensitive. This could include files with personally identifiable information (PII), intellectual property, or other data deemed sensitive based on the organization’s data protection policies or Microsoft’s predefined rules. This event type is essential for tracking access to sensitive data, helping to identify potential data leakage or unauthorized access attempts. ``` DeviceEvents | where ActionType has "SensitiveFileRead" | join kind=inner (EmailAttachmentInfo) on $left.FileName == $right.FileName // Extend the information to know if the sensitivefile was sent to a different domain than the sender | extend SenderDomain = tostring(split(SenderFromAddress, "@")[1]) | extend RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1]) | extend SensitiveFileSentTo = iff(SenderDomain == RecipientDomain, "Same Domain", "Different Domain") | project DeviceName, FileName, FolderPath, InitiatingProcessFileName,InitiatingProcessAccountName, InitiatingProcessAccountUpn,InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoCompanyName, SenderDisplayName, SenderFromAddress, RecipientEmailAddress, SensitiveFileSentTo, FileSent = FileName1 ```
Explanation
This query is designed to detect when sensitive or confidential files are accessed and subsequently sent via email. Here's a simplified breakdown of what the query does:
-
Identify Sensitive File Access: It starts by looking for events where files marked as sensitive are accessed. This is done by filtering the
DeviceFileEventstable for entries with the action type "SensitiveFileRead". -
Match with Email Attachments: The query then joins this information with the
EmailAttachmentInfotable to find instances where these sensitive files were attached to emails. The join is based on matching file names from both tables. -
Determine Email Domain: For each matched event, it checks if the email was sent within the same domain or to a different domain. This is done by comparing the domain part of the sender's and recipient's email addresses.
-
Output Relevant Information: Finally, it outputs a list of details about the event, including the device name, file name, file path, the process that accessed the file, the sender and recipient of the email, and whether the file was sent within the same domain or to a different one.
This query helps in identifying potential data leaks by tracking when sensitive files are accessed and sent via email, especially to external domains.
Details
Sergio Albea
Released: October 16, 2024
Tables
Keywords
Operators