A terminated employee may exfiltrate large amounts of data before leaving the organization, indicating potential data theft or insider threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data loss risks early.
KQL Query
// Look for any activity for terminated employee creating a DeviceNetworkEvents after they announced termination or resignation
let TermAccount = 'departing.employee'; //Enter the departing employee's username
let ReleaseTime = datetime("01/16/2022 00:00:00"); //Enter the date the resignation or termination was announced
DeviceNetworkEvents
| where InitiatingProcessAccountName =~ TermAccount
| where Timestamp > ReleaseTime
//| project Timestamp , DeviceName, InitiatingProcessAccountName
| sort by Timestamp desc
| join
DeviceFileEvents on InitiatingProcessAccountName
| where FileName endswith ".docx" or FileName endswith ".pptx" or FileName endswith ".xlsx" or FileName endswith ".pdf"
| join DeviceNetworkInfo on DeviceId
| where ConnectedNetworks !contains '"Category":"Domain"' //Looking for remote, non-domain networks
| summarize TotalFiles=count() by bin(5Minutebin=Timestamp, 5m), InitiatingProcessAccountName
|where TotalFiles >1000 // adjust accordingly
| project TotalFiles,5Minutebin,InitiatingProcessAccountName
id: 69ceaac7-5ea1-4a09-a8ce-b240210b8d2f
name: detect-exfiltration-after-termination
description: |
This query can be used to explore any instances where a terminated individual (i.e. one who has an impending termination date but has not left the company) downloads a large number of files from a non-Domain network address.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceFileEvents
- DeviceNetworkInfo
tactics:
- Exfiltration
query: |
// Look for any activity for terminated employee creating a DeviceNetworkEvents after they announced termination or resignation
let TermAccount = 'departing.employee'; //Enter the departing employee's username
let ReleaseTime = datetime("01/16/2022 00:00:00"); //Enter the date the resignation or termination was announced
DeviceNetworkEvents
| where InitiatingProcessAccountName =~ TermAccount
| where Timestamp > ReleaseTime
//| project Timestamp , DeviceName, InitiatingProcessAccountName
| sort by Timestamp desc
| join
DeviceFileEvents on InitiatingProcessAccountName
| where FileName endswith ".docx" or FileName endswith ".pptx" or FileName endswith ".xlsx" or FileName endswith ".pdf"
| join DeviceNetworkInfo on DeviceId
| where ConnectedNetworks !contains '"Category":"Domain"' //Looking for remote, non-domain networks
| summarize TotalFiles=count() by bin(5Minutebin=Timestamp, 5m), InitiatingProcessAccountName
|where TotalFiles >1000 // adjust accordingly
| project TotalFiles,5Minutebin,InitiatingProcessAccountName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Execution
Description: A legitimate scheduled backup job runs and transfers a large volume of data from a non-privileged server to a backup storage system.
Filter/Exclusion: Exclude traffic originating from known backup tools (e.g., Veeam, Commvault) or systems with predefined backup schedules.
Scenario: Admin Task for Data Migration
Description: An administrator is performing a data migration task using a tool like rsync or scp to move files between servers as part of a routine system upgrade.
Filter/Exclusion: Exclude IP addresses or user accounts associated with administrative tasks, or filter by known migration tools and timestamps.
Scenario: User-Initiated File Sync via Cloud Storage
Description: A user syncs a large number of files to a cloud storage service (e.g., Dropbox, Google Drive) using a legitimate sync client.
Filter/Exclusion: Exclude traffic to known cloud storage endpoints or filter by user accounts with access to cloud sync tools.
Scenario: Log File Aggregation to Centralized SIEM
Description: A system logs are being aggregated to a centralized SIEM (e.g., Splunk, ELK stack) using a tool like logstash or rsyslog.
Filter/Exclusion: Exclude traffic to SIEM systems or filter by known log aggregation tools and source systems.
Scenario: Temporary File Transfer for Development/Testing
Description: A developer transfers a large number of files between development environments using a tool like scp or rsync for testing purposes.
Filter/Exclusion: Exclude traffic from development environments or filter by user roles (e.g., developers, QA teams).