Adversaries may use mass downloads to exfiltrate data or deploy malicious payloads, leveraging T1020 techniques to move laterally or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or compromise early.
KQL Query
let lookback = 7d; //set the period to query let threshold = 50; //set the threshold for number of downloads let downloadTimeframe = 5m; //set the bin timeframe to group the events CloudAppEvents | where ActionType == "FileDownloaded" and Timestamp > ago(lookback) // Filter to only "Download" actions | summarize DownloadCount=count() by AccountDisplayName, AccountObjectId, bin(Timestamp,downloadTimeframe) //bin the results into a timeframe by the account | where DownloadCount > threshold //filter the records that don't meet the threshold | project AccountDisplayName,AccountObjectId,DownloadCount
id: a1b2c3d4-e5f6-4g7h-8i9j-k0l1m2n3o4p5
name: Mass Downloads in the last 7 days
description: |
This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: >
let lookback = 7d; //set the period to query
let threshold = 50; //set the threshold for number of downloads
let downloadTimeframe = 5m; //set the bin timeframe to group the events
CloudAppEvents
| where ActionType == "FileDownloaded" and Timestamp > ago(lookback) // Filter to only "Download" actions
| summarize DownloadCount=count() by AccountDisplayName, AccountObjectId, bin(Timestamp,downloadTimeframe) //bin the results into a timeframe by the account
| where DownloadCount > threshold //filter the records that don't meet the threshold
| project AccountDisplayName,AccountObjectId,DownloadCount
entityMappings:
- entityType: Account
fieldMappings:
- identifier: ObjectGuid
columnName: AccountObjectId
- identifier: DisplayName
columnName: AccountDisplayName
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job
Description: A scheduled backup job is running and downloading large amounts of data from the cloud storage.
Filter/Exclusion: Exclude activities associated with known backup tools like Veeam Backup & Replication, Commvault, or Dell EMC Data Domain by checking the userAgent or application field.
Example Filter: application NOT IN ('Veeam Backup', 'Commvault', 'Data Domain')
Scenario: User-Initiated File Sync
Description: A user is syncing a large folder using a tool like OneDrive for Business or Google Drive Sync, which triggers a mass download.
Filter/Exclusion: Exclude activities related to OneDrive Sync Client or Google Drive for Work by checking the clientApplication or deviceName field.
Example Filter: clientApplication NOT IN ('OneDrive Sync Client', 'Google Drive for Work')
Scenario: System Maintenance or Patching
Description: A system administrator is performing a maintenance task that involves downloading large files, such as OS patches or software updates.
Filter/Exclusion: Exclude activities initiated by System Administrator accounts or associated with Windows Update, WSUS, or Microsoft Endpoint Manager.
Example Filter: user NOT IN ('admin', 'sysadmin') OR source NOT IN ('Windows Update', 'Microsoft Endpoint Manager')
Scenario: Data Migration or Transfer
Description: An organization is migrating data between cloud storage services using tools like Azure Data Factory, AWS DataSync, or Rsync.
Filter/Exclusion: Exclude activities involving Azure Data Factory, AWS DataSync, or Rsync by checking the tool or source field.
*Example