Adversaries may be exfiltrating data by downloading sensitive files from cloud storage through Microsoft Defender for Cloud Apps. SOC teams should proactively hunt for this behavior to identify potential data exfiltration attempts and mitigate lateral movement or data theft risks in their Azure Sentinel environment.
KQL Query
let LookBack = 7d; CloudAppEvents | where ActionType == "FileDownloaded" and Timestamp > ago(LookBack) | extend FileName = RawEventData.SourceFileName | extend Site = RawEventData.SiteUrl | extend FileLabel = RawEventData.SensitivityLabelId | extend SiteLabel = RawEventData.SiteSensitivityLabelId | project Timestamp,AccountObjectId,AccountDisplayName,ActionType,Application,FileName,Site,FileLabel,SiteLabel
id: f8f8d4a5-7d7d-4c5d-9b5c-9c5d7d8f8f8f
name: File download events in the last 7 days
description: |
This query looks for file download events identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
Reference - https://learn.microsoft.com/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType == "FileDownloaded" and Timestamp > ago(LookBack)
| extend FileName = RawEventData.SourceFileName
| extend Site = RawEventData.SiteUrl
| extend FileLabel = RawEventData.SensitivityLabelId
| extend SiteLabel = RawEventData.SiteSensitivityLabelId
| project Timestamp,AccountObjectId,AccountDisplayName,ActionType,Application,FileName,Site,FileLabel,SiteLabel
entityMappings:
- entityType: Account
fieldMappings:
- identifier: ObjectGuid
columnName: AccountObjectId
- identifier: DisplayName
columnName: AccountDisplayName
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled backup job downloading files
Description: A legitimate scheduled backup process (e.g., Veeam, Acronis, or Azure Backup) is downloading files from the cloud storage as part of a routine backup operation.
Filter/Exclusion: Exclude events where the file path matches known backup directories (e.g., C:\Backup\, /var/backups/) or where the user is a backup service account (e.g., backup_svc@domain.com).
Scenario: User downloading their own profile picture
Description: An employee downloads their own profile picture from a cloud storage service (e.g., OneDrive, SharePoint) as part of their profile setup or update.
Filter/Exclusion: Exclude events where the user is the same as the subject user (e.g., user_principal_name = 'user@domain.com').
Scenario: System update or patching process
Description: A system update or patching process (e.g., Windows Update, SCCM, or Ansible playbook) is downloading files from a cloud repository (e.g., Microsoft Update, internal artifact repository).
Filter/Exclusion: Exclude events where the file path matches known update directories (e.g., C:\Windows\Temp\, /tmp/) or where the user is a service account (e.g., NT AUTHORITY\SYSTEM).
Scenario: Admin downloading configuration files
Description: An administrator is downloading configuration files (e.g., JSON, YAML, or XML) from a cloud storage location to configure or troubleshoot a system.
Filter/Exclusion: Exclude events where the user is an admin (e.g., user_role = 'Admin') or where the file path matches known configuration directories (e.g., C:\Config\, /etc/config/).
**Scenario: