KQL Search

Query Details

HomeAI ToolsDevice Query

Insider Threat Monitor Sensitive Bulk Download Data Email To External

Query

// Insider Threat - Monitor sensitive bulk download data email to external 
// https://www.linkedin.com/posts/activity-7193119880718520320-RO72/

// This scheduled hourly Sentinel analytic rule is particular useful in detecting O365/Azure/Entra admins performing bulk download of users/groups/devices information from portal and sending that piece of information out to external via email.

let BulkDataFileNames =
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Download group members - finished (bulk)" or  OperationName == "Download devices - finished (bulk)" or  OperationName == "Download service principals - finished (bulk)" or  OperationName == "started (bulk)"
| where ResultDescription contains "Filename"
| extend AccountUPN = tostring(InitiatedBy.user.userPrincipalName)
| parse ResultDescription with * "Filename:" Filename ". Activity" Blank
| project Filename;
EmailAttachmentInfo
| where TimeGenerated > ago(1h)
| where FileName has_any(BulkDataFileNames)
| where RecipientEmailAddress !contains "contoso.com" // Corporate Domain

Explanation

This query is designed to detect potential insider threats by monitoring for sensitive bulk data downloads and subsequent email transmissions to external addresses. Here's a simplified breakdown:

  1. Identify Bulk Downloads:

    • The query first looks at audit logs from the past 90 days.
    • It filters for specific operations indicating bulk downloads of group members, devices, or service principals.
    • It extracts the filenames associated with these bulk downloads.

  2. Monitor Email Attachments:

    • It then checks email attachment logs from the past hour.
    • It looks for any email attachments that match the filenames identified in the bulk downloads.
    • It filters out emails sent to the corporate domain (e.g., "contoso.com") to focus on emails sent to external addresses.

In essence, this query helps detect if an admin has downloaded large amounts of sensitive data and then sent that data to an external email address, which could indicate a potential insider threat.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AuditLogsEmailAttachmentInfo

Keywords

InsiderThreatMonitorSensitiveBulkDownloadDataEmailExternalSentinelAnalyticRuleO365AzureEntraAdminsBulkDownloadUsersGroupsDevicesInformationPortalEmail

Operators

let|>ago==orcontainsextendtostringparsewithprojecthas_any!contains

Actions