Insider Threat Monitor Sensitive Bulk Download Data Email To External
Query
// Insider Threat - Monitor sensitive bulk download data email to external
// https://www.linkedin.com/posts/activity-7193119880718520320-RO72/
// This scheduled hourly Sentinel analytic rule is particular useful in detecting O365/Azure/Entra admins performing bulk download of users/groups/devices information from portal and sending that piece of information out to external via email.
let BulkDataFileNames =
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Download group members - finished (bulk)" or OperationName == "Download devices - finished (bulk)" or OperationName == "Download service principals - finished (bulk)" or OperationName == "started (bulk)"
| where ResultDescription contains "Filename"
| extend AccountUPN = tostring(InitiatedBy.user.userPrincipalName)
| parse ResultDescription with * "Filename:" Filename ". Activity" Blank
| project Filename;
EmailAttachmentInfo
| where TimeGenerated > ago(1h)
| where FileName has_any(BulkDataFileNames)
| where RecipientEmailAddress !contains "contoso.com" // Corporate Domain
// MITRE ATT&CK Mapping
// Based on the operations and data involved, the following MITRE ATT&CK techniques are relevant:
// Data from Information Repositories (T1213):
// The query identifies bulk downloads of group members, devices, and service principals, which aligns with adversaries accessing data from information repositories1.
// Exfiltration Over Web Service (T1567):
// The query checks for email attachments sent outside the corporate domain, indicating potential data exfiltration via email2.
// Automated Collection (T1119):
// The use of automated scripts to download bulk data suggests automated collection techniques3.Explanation
This query is designed to detect potential insider threats by monitoring for suspicious activity involving the bulk download of sensitive data by administrators and the subsequent emailing of this data to external recipients. Here's a simplified breakdown:
-
Purpose: The query is part of a scheduled hourly Sentinel analytic rule that helps identify when administrators in O365/Azure/Entra environments download large amounts of user, group, or device information and then send this data outside the organization via email.
-
Process:
- It first looks at audit logs from the past 90 days to find instances where bulk downloads of group members, devices, or service principals were completed.
- It extracts the filenames associated with these downloads.
- Then, it checks email logs from the past hour to see if any of these filenames appear as attachments in emails sent to addresses outside the corporate domain (excluding emails sent to "contoso.com").
-
Security Implications:
- Data from Information Repositories (T1213): The query identifies bulk downloads, which could indicate unauthorized access to sensitive data repositories.
- Exfiltration Over Web Service (T1567): By checking for emails sent outside the organization, the query helps detect potential data exfiltration attempts.
- Automated Collection (T1119): The nature of bulk downloads suggests the use of automated tools or scripts, which is a common technique for collecting large amounts of data quickly.
Overall, this query is a proactive measure to detect and prevent potential data breaches by insiders who might misuse their administrative privileges.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators