KQL Search

Query Details

HomeAI ToolsDevice Query

XDR 2 Data Security Events Mass Exfil

Query

// XDR-2 - Mass exfil-style data security events per user
// Run in: security.microsoft.com -> Hunting -> Advanced hunting
// Tactic: Exfiltration (T1530, T1567)
DataSecurityEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileUploadedToCloud","FileCopiedToRemovableMedia",
                       "FilePrinted","FileSentInEmail","FileSharedExternally",
                       "FileDownloadedFromSharePoint","FileSyncedToPersonalCloud")
| summarize Events=count(),
            Files=dcount(ObjectId),
            Apps=make_set(ApplicationNames, 5),
            Workloads=make_set(Workload, 5),
            FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
        by AccountUpn, ActionType
| where Files >= 10 or Events >= 25
| order by Events desc

Explanation

This query is designed to identify potential mass data exfiltration activities by users over the past week. Here's a simple breakdown of what it does:

  1. Data Source: It analyzes data from the DataSecurityEvents table.

  2. Time Frame: It focuses on events that occurred within the last 7 days.

  3. Action Types: It filters for specific actions that could indicate data exfiltration, such as:

    • Uploading files to the cloud
    • Copying files to removable media
    • Printing files
    • Sending files via email
    • Sharing files externally
    • Downloading files from SharePoint
    • Syncing files to personal cloud storage

  4. Aggregation: For each user (identified by AccountUpn) and action type:

    • Counts the total number of events (Events)
    • Counts the distinct number of files involved (Files)
    • Lists up to 5 different applications used (Apps)
    • Lists up to 5 different workloads involved (Workloads)
    • Records the first and last time the activity was seen (FirstSeen, LastSeen)

  5. Filtering: It only includes users who have either:

    • Accessed at least 10 different files, or
    • Been involved in 25 or more events

  6. Sorting: The results are sorted by the number of events in descending order, highlighting users with the most activity.

Overall, this query helps security teams identify users who may be involved in suspicious data transfer activities, potentially indicating data exfiltration attempts.

Details

David Alonso profile picture

David Alonso

Released: May 25, 2026

Tables

DataSecurityEvents

Keywords

DataSecurityEventsUserApplicationWorkloadAccountTimestampActionTypeObjectId

Operators

DataSecurityEvents|where>ago()insummarizecount()dcount()make_set()min()max()byororder bydesc

Actions