KQL Search

Query Details

HomeAI ToolsDevice Query

Senstive Large File Uploads Using Cloud App Events

Query

//Set threshold to alert on uploads above this size in GB
let SizeThreshold = 5;
let CountThreshold = 1000;
let FileUploads = CloudAppEvents
//| where TimeGenerated > ago(90d)
| where ActionType == "FileUploadedToCloud"
| extend Domain = tostring(RawEventData.TargetDomain)
//| where Domain == "wetransfer.com" //example
| extend DeviceName = RawEventData.DeviceName
| extend File = tostring(RawEventData.ObjectId)
| extend FileSize_Bytes = tostring(RawEventData.FileSize)
| extend SensitiveInfoTypes = parse_json(tostring(RawEventData.SensitiveInfoTypeData))
| extend Application = tostring(RawEventData.Application)
| extend FileType = tostring(RawEventData.FileType)
| extend Sha256 = tostring(RawEventData.Sha256)
| project TimeGenerated, ActionType, AccountDisplayName, DeviceName, File, FileSize_Bytes, FileType, IPAddress, ISP, CountryCode,  Domain, Application, Sha256, AccountId;
//Get large volume of file uploads > 1gb
FileUploads
| summarize TotalSize = format_bytes(sum(toint(FileSize_Bytes)),2,"GB"), FileUploadCount = count() by AccountDisplayName, AccountId, Domain
| join kind=rightouter FileUploads on AccountId
| where (toint(substring(TotalSize, 0, 1)) > SizeThreshold) or (FileUploadCount > CountThreshold)
| project-away AccountDisplayName1, AccountId1, Domain1

Explanation

This KQL query is designed to identify and alert on large file uploads to cloud services. Here's a simplified breakdown of what it does:

  1. Set Thresholds: It defines two thresholds:

    • SizeThreshold: 5 GB, for the total size of uploads.
    • CountThreshold: 1000, for the number of file uploads.

  2. Filter Events: It filters events from CloudAppEvents where the action type is "FileUploadedToCloud". It extracts various details from the raw event data, such as:

    • Domain of the target.
    • Device name.
    • File details including name, size, type, and hash (SHA256).
    • Application used for the upload.
    • Sensitive information types, if any.

  3. Project Relevant Data: It selects specific fields to keep for further analysis, such as the time of the event, account details, device and file information, IP address, ISP, and country code.

  4. Summarize Uploads: It calculates the total size of uploads (in GB) and the count of uploads for each account and domain.

  5. Join and Filter: It performs a right outer join with the original FileUploads data to retain all records and then filters for accounts where:

    • The total size of uploads exceeds 5 GB.
    • The number of uploads exceeds 1000.

  6. Output: It removes duplicate fields resulting from the join and outputs the relevant data for further analysis or alerting.

In essence, this query helps identify users or accounts that are uploading unusually large volumes of data to cloud services, which could be indicative of data exfiltration or misuse.

Details

Jay Kerai profile picture

Jay Kerai

Released: May 20, 2025

Tables

CloudAppEvents

Keywords

CloudAppEvents

Operators

letagowhereextendtostringparse_jsonprojectsummarizeformat_bytessumtointjoinkindrightoutersubstringorproject-away

Actions