Data Exfiltration Investigation Runbook

SOC & DFIR Operations Guide

Environment: Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access.

---

Overview & Scope

This runbook provides standardised procedures for investigating data exfiltration attacks across the hybrid enterprise environment. Data exfiltration is a critical phase in the attack lifecycle where adversaries steal sensitive data from the organisation, often representing the primary objective of sophisticated attacks.

What is Data Exfiltration?

Data exfiltration (also known as data theft, data extrusion, or data leakage) is the unauthorised transfer of data from an organisation. It can be performed by external threat actors who have compromised the environment or by malicious insiders abusing their legitimate access.

Key Considerations:

• Exfiltration is often the final stage before an attack is discovered

• Data theft may occur over extended periods (low and slow)

• Ransomware actors increasingly exfiltrate before encrypting (double extortion)

• Insider threats may use legitimate tools and access

• Cloud services create new exfiltration vectors

Data at Risk Categories

Category	Examples	Sensitivity
Personally Identifiable Information (PII)	SSN, addresses, phone numbers, DOB	High
Protected Health Information (PHI)	Medical records, insurance data	Critical
Financial Data	Credit cards, bank accounts, financial reports	Critical
Intellectual Property	Source code, patents, trade secrets, designs	Critical
Customer Data	Customer lists, contracts, communications	High
Employee Data	HR records, salaries, performance reviews	High
Authentication Data	Passwords, keys, certificates, tokens	Critical
Strategic Information	M&A plans, business strategies, pricing	High
Legal/Compliance	Legal holds, audit data, compliance reports	High

Exfiltration Methods

By Channel

Channel	Description	Detection Difficulty
Network (Unencrypted)	HTTP, FTP, SMB to external	Low
Network (Encrypted)	HTTPS, SFTP, encrypted tunnels	Medium-High
Email	Attachments, body content	Low-Medium
Cloud Storage	OneDrive, Dropbox, Google Drive, etc.	Medium
Removable Media	USB drives, external HDD	Medium
Physical	Printed documents, photos of screens	High
Covert Channels	DNS tunneling, steganography, ICMP	High
Application-Based	Messaging apps, file sharing apps	Medium

By Technique

Technique	Description	MITRE ID
Exfiltration Over C2	Using existing C2 channel	T1041
Exfiltration Over Web Service	Cloud storage, paste sites	T1567
Exfiltration Over Alternative Protocol	DNS, ICMP, non-standard ports	T1048
Automated Exfiltration	Scheduled/triggered data theft	T1020
Data Transfer Size Limits	Chunking to avoid detection	T1030
Scheduled Transfer	Off-hours to avoid detection	T1029
Exfiltration Over Physical Medium	USB, external drives	T1052
Exfiltration Over Bluetooth	Wireless data transfer	T1011.001

By Actor Type

Actor	Motivation	Typical Methods
External Threat Actor	Espionage, extortion, sale	C2, cloud upload, encrypted
Ransomware Operator	Double extortion leverage	Bulk transfer, cloud upload
Nation-State	Intelligence gathering	Low and slow, covert channels
Malicious Insider	Financial gain, revenge	Email, USB, cloud sync
Negligent Insider	Convenience, lack of awareness	Email, personal cloud
Departing Employee	Taking work, competitive advantage	USB, personal email, cloud

Data Exfiltration Lifecycle

1. Target Identification
   └── Identify valuable data locations, access methods

2. Access & Collection
   ├── Access file shares, databases, cloud storage
   ├── Search for sensitive content
   └── Stage data for exfiltration

3. Preparation
   ├── Compress/archive data
   ├── Encrypt to avoid DLP
   └── Split into smaller chunks

4. Exfiltration
   ├── Transfer via chosen channel
   ├── May occur over extended period
   └── Often during off-hours

5. Covering Tracks
   ├── Delete staging files
   ├── Clear logs
   └── Remove access artifacts

---

Detection Sources & Data Mapping

Log Sources Matrix

Platform	Log Table	Exfiltration-Relevant Data
Defender for Endpoint	DeviceFileEvents	File access, copy, archive creation
Defender for Endpoint	DeviceNetworkEvents	Outbound transfers, DNS queries
Defender for Endpoint	DeviceEvents	USB activity, Bluetooth, print
Defender for Endpoint	DeviceProcessEvents	Compression tools, exfil utilities
Cloud Apps	CloudAppEvents	Cloud storage uploads, sharing
Exchange Online	EmailEvents, EmailAttachmentInfo	Email with attachments
SharePoint/OneDrive	OfficeActivity	Downloads, sharing, sync
Purview	DlpAll	DLP policy matches
Purview	InsiderRiskManagement	Insider risk alerts
Sentinel	AzureActivity	Azure resource data access
Sentinel	ThreatIntelligenceIndicator	Known exfil infrastructure
Prisma Access	PaloAltoPrismaAccess	Network transfers, URL categories
Entra ID	SigninLogs, AuditLogs	Application access patterns

Critical Event Categories

File Operations

Event Type	Description	Risk Indicator
Mass file access	Bulk file opens/reads	High volume in short time
Archive creation	ZIP, RAR, 7z creation	Large archives, sensitive paths
File copy to removable	Copy to USB/external	Any sensitive data
File rename/extension change	Disguising files	Hiding data type
Sensitive file access	Labeled/classified files	Unusual accessor or volume
File download from cloud	SharePoint/OneDrive download	Bulk downloads

Network Activity

Event Type	Description	Risk Indicator
Large outbound transfers	High upload volume	Unusual destination
Transfers to file sharing	Cloud storage uploads	Personal accounts
DNS tunneling	Data in DNS queries	High volume, long queries
Non-standard ports	Data on unusual ports	Encrypted traffic on odd ports
Known bad destinations	C2, paste sites	Threat intel matches
After-hours transfers	Off-peak large transfers	Unusual for user

Email Activity

Event Type	Description	Risk Indicator
Large attachments	Files over threshold	Unusual for sender
Sensitive attachments	Labeled files attached	External recipients
Personal email forwards	Forwarding to personal	Any corporate data
Bulk email to external	Many external recipients	Data in body/attachments
Encrypted attachments	Password-protected files	Avoiding DLP

Cloud Activity

Event Type	Description	Risk Indicator
External sharing	Sharing with outside org	Sensitive content
Anonymous links	Anyone with link access	Sensitive files
Sync to personal device	OneDrive/SharePoint sync	Unmanaged devices
Third-party app access	OAuth apps accessing data	Excessive permissions
Bulk downloads	Mass file downloads	Unusual volume

Windows Event IDs

Event ID	Log	Description	Relevance
4663	Security	Object access attempt	File access tracking
4656	Security	Handle to object requested	File access audit
4658	Security	Handle closed	File operation complete
4660	Security	Object deleted	Evidence destruction
4670	Security	Permissions changed	Access modification
5140	Security	Network share accessed	Share enumeration
5145	Security	Share object access check	File share access
6416	Security	External device recognized	USB detection
4688	Security	Process creation	Archive tools
307	PrintService	Document printed	Print exfiltration

---

Investigation Workflows

General Data Exfiltration Investigation

Objective: Identify, scope, and contain data exfiltration, determine what data was stolen, and assess impact.

Step 1: Initial Triage

1. Identify the alert source (DLP, UEBA, network, endpoint)

2. Determine the user/account involved

3. Identify the data type/sensitivity flagged

4. Check for related alerts or incidents

5. Assess initial scope and urgency

Step 2: User Context Analysis

1. Review user's role and normal data access

2. Check employment status (departing, notice period)

3. Review recent HR flags or performance issues

4. Identify if user has legitimate business need

5. Check for prior security incidents

Step 3: Activity Timeline Construction

1. Query all data access for user (7-30 days)

2. Identify anomalous access patterns

3. Document file types and sensitivity

4. Map access to exfiltration attempts

5. Correlate with authentication events

Step 4: Exfiltration Channel Identification

1. Review network connections and transfers

2. Check email for attachments/forwards

3. Review cloud storage activity

4. Check for removable media usage

5. Review print activity

Step 5: Data Impact Assessment

1. Identify all data potentially exfiltrated

2. Classify data by sensitivity level

3. Determine regulatory implications (PII, PHI, PCI)

4. Assess business impact

5. Document for legal/compliance

Step 6: Scope Expansion

1. Check for similar activity by other users

2. Search for data on known bad destinations

3. Review shared infrastructure/access

4. Check for accomplices or shared accounts

5. Assess if part of larger compromise

---

Cloud Storage Exfiltration Investigation

Objective: Investigate data theft via cloud storage services (OneDrive, SharePoint, Dropbox, Google Drive, etc.).

Detection Indicators

• Large volume file downloads from SharePoint/OneDrive

• Syncing to unmanaged/personal devices

• External sharing of sensitive files

• Anonymous link creation for sensitive content

• Personal cloud storage app usage

• Bulk downloads before account changes

Investigation Steps

1. Identify Cloud Activity

   • Query CloudAppEvents for upload/download activity

   • Check OfficeActivity for SharePoint/OneDrive operations

   • Review Shadow IT usage via MDCA

   • Identify personal vs. corporate accounts

2. Analyse Access Patterns

   • Compare to baseline access behaviour

   • Check for bulk operations

   • Identify accessed file sensitivity

   • Review timing (off-hours, last day)

3. External Sharing Review

   • List all external shares by user

   • Check for anonymous links created

   • Review share recipients

   • Identify sensitive content shared

4. Sync Activity Analysis

   • Check for OneDrive sync to personal devices

   • Review device registration status

   • Identify unmanaged device syncs

   • Check for selective sync of sensitive folders

5. Third-Party Cloud Apps

   • Review OAuth app authorisations

   • Check for data access by apps

   • Identify personal cloud storage apps

   • Review MDCA sanctioned/unsanctioned apps

---

Email-Based Exfiltration Investigation

Objective: Investigate data theft via email attachments or body content.

Detection Indicators

• Emails with large attachments to external recipients

• Sensitive files attached to personal email

• Password-protected attachments (DLP bypass)

• Bulk email to external addresses

• Auto-forward rules to external addresses

• Email to known personal accounts

Investigation Steps

1. Email Pattern Analysis

   • Query EmailEvents for external sends

   • Review attachment sizes and types

   • Check for DLP policy matches

   • Identify unusual recipients

2. Attachment Analysis

   • Review EmailAttachmentInfo for details

   • Check file types and names

   • Identify sensitive content indicators

   • Review if encrypted/password-protected

3. Forwarding Rules Review

   • Check for inbox rules forwarding externally

   • Review mailbox forwarding configuration

   • Identify delegates with forward permissions

   • Check mobile device forwarding

4. Recipient Analysis

   • Categorise recipients (personal, competitor, unknown)

   • Check for first-time recipients

   • Review recipient domains

   • Identify patterns in recipients

---

Endpoint-Based Exfiltration Investigation

Objective: Investigate data theft via endpoint methods (USB, Bluetooth, print, local storage).

Detection Indicators

• USB device connections

• Large file copies to removable media

• Bluetooth file transfers

• Mass printing activity

• Archive creation with sensitive files

• Airdrop or similar local transfers

Investigation Steps

1. Removable Media Analysis

   • Query DeviceEvents for USB connections

   • Identify device types and serial numbers

   • Review files copied to devices

   • Check for encrypted transfers

2. Archive/Compression Activity

   • Query for ZIP, RAR, 7z creation

   • Review archive contents if available

   • Check source directories

   • Identify password protection

3. Print Activity

   • Query print logs for document printing

   • Identify sensitive documents printed

   • Review print volume anomalies

   • Check print-to-file activity

4. Local Transfer Methods

   • Check for Bluetooth transfers

   • Review network sharing activity

   • Check for Airdrop (if applicable)

   • Review cloud sync client activity

---

Network-Based Exfiltration Investigation

Objective: Investigate data theft via network channels, including C2, web uploads, and covert channels.

Detection Indicators

• Large outbound data transfers

• Transfers to unknown or suspicious IPs

• Non-standard port usage

• DNS tunnelling patterns

• ICMP data transfer

• Encrypted traffic to unusual destinations

Investigation Steps

1. Traffic Volume Analysis

   • Query DeviceNetworkEvents for large transfers

   • Identify top talkers (bytes out)

   • Compare to baseline network usage

   • Check for sustained vs. burst transfers

2. Destination Analysis

   • Review destination IPs and domains

   • Check threat intelligence for IOCs

   • Identify known file sharing sites

   • Review geographic anomalies

3. Protocol Analysis

   • Check for non-standard ports

   • Review encrypted traffic destinations

   • Identify potential tunnelling (DNS, ICMP)

   • Check for C2 pattern indicators

4. Prisma Access Analysis

   • Review URL filtering logs

   • Check for file sharing categories

   • Identify blocked upload attempts

   • Review data transfer by application

---

Insider Threat Investigation

Objective: Investigate potential malicious insider data theft with sensitivity to HR and legal requirements.

Pre-Investigation Considerations

⚠️ Important: Insider threat investigations are sensitive. Before proceeding:

• Coordinate with HR and Legal

• Follow established insider threat procedures

• Maintain confidentiality

• Document chain of custody

• Consider union/works council requirements

Risk Indicators

Indicator	Category	Weight
Resignation submitted	Employment	High
Performance issues	HR	Medium
Passed over for promotion	HR	Medium
Working unusual hours	Behavioral	Low-Medium
Excessive data access	Technical	High
USB usage increase	Technical	Medium
Email to personal accounts	Technical	High
Accessing unrelated data	Technical	High

Investigation Steps

1. Context Gathering

   • Coordinate with HR on employment status

   • Review role and normal data access needs

   • Check for known grievances or issues

   • Identify access to sensitive data

2. Behavioral Analysis

   • Compare recent activity to baseline

   • Identify access pattern changes

   • Review login times and locations

   • Check for policy violations

3. Data Access Review

   • Query all file access (extended timeline)

   • Identify access outside normal scope

   • Review search queries if available

   • Check for bulk download patterns

4. Exfiltration Channel Review

   • Check all potential exfil channels

   • Review email to personal addresses

   • Check USB and removable media

   • Review cloud storage activity

   • Check print logs

5. Evidence Preservation

   • Preserve logs with timestamps

   • Document findings thoroughly

   • Maintain chain of custody

   • Prepare for potential legal action

---

KQL Query Cheat Sheet

File Access Analysis

Mass File Access Detection

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileRead", "FileOpen", "FileCopied")
| summarize 
    FileCount = count(),
    UniqueFiles = dcount(FileName),
    UniqueFolders = dcount(FolderPath),
    SensitiveFiles = countif(FolderPath has_any ("confidential", "secret", "hr", "finance", "legal"))
    by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1h)
| where FileCount > 100 or SensitiveFiles > 10
| sort by FileCount desc

Sensitive File Access by Unusual Users

let sensitiveLocations = dynamic(["\\HR\\", "\\Finance\\", "\\Legal\\", "\\Executive\\", "\\Confidential\\", "\\Secret\\"]);
let baseline = DeviceFileEvents
| where Timestamp between (ago(30d) .. ago(1d))
| where FolderPath has_any (sensitiveLocations)
| summarize by InitiatingProcessAccountName, FolderPath;
DeviceFileEvents
| where Timestamp > ago(1d)
| where FolderPath has_any (sensitiveLocations)
| join kind=leftanti baseline on InitiatingProcessAccountName, FolderPath
| summarize 
    AccessCount = count(),
    Files = make_set(FileName, 20),
    Folders = make_set(FolderPath, 10)
    by InitiatingProcessAccountName, DeviceName
| sort by AccessCount desc

Archive Creation with Sensitive Files

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| extend FileSizeMB = FileSize / 1048576.0
| where FileSizeMB > 50  // Large archives
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FileSizeMB, FolderPath
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where FileName in~ ("7z.exe", "winrar.exe", "winzip.exe", "powershell.exe", "tar.exe")
    | where ProcessCommandLine has_any (".zip", ".rar", ".7z", "Compress-Archive")
    | project ArchiveTime = Timestamp, DeviceName, ArchiveCommand = ProcessCommandLine
) on DeviceName
| where abs(datetime_diff('minute', Timestamp, ArchiveTime)) < 5
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FileSizeMB, ArchiveCommand

File Copy to External Paths

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileCopied")
| where FolderPath matches regex @"^[A-Z]:\\" and FolderPath !startswith "C:\\"  // Non-C: drives
    or FolderPath startswith "\\\\"  // Network paths
    or FolderPath has_any ("usb", "removable", "external")
| summarize 
    CopyCount = count(),
    TotalSizeMB = sum(FileSize) / 1048576.0,
    Files = make_set(FileName, 20)
    by DeviceName, InitiatingProcessAccountName, FolderPath
| where CopyCount > 10 or TotalSizeMB > 100
| sort by TotalSizeMB desc

---

USB/Removable Media Detection

USB Device Connections

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PnpDeviceConnected"
| extend DeviceDescription = tostring(parse_json(AdditionalFields).DeviceDescription)
| extend DeviceId = tostring(parse_json(AdditionalFields).DeviceId)
| where DeviceDescription has_any ("USB", "Mass Storage", "Removable")
| summarize 
    ConnectionCount = count(),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    Devices = make_set(DeviceDescription, 10)
    by DeviceName, InitiatingProcessAccountName
| sort by ConnectionCount desc

Files Written to Removable Media

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath matches regex @"^[D-Z]:\\"  // Non-C: drives (potential USB)
| where FolderPath !has "Program Files" and FolderPath !has "Windows"
| summarize 
    FileCount = count(),
    TotalSizeMB = sum(FileSize) / 1048576.0,
    FileTypes = make_set(tostring(split(FileName, ".")[-1]), 20)
    by DeviceName, InitiatingProcessAccountName, FolderPath
| where FileCount > 20 or TotalSizeMB > 100
| sort by TotalSizeMB desc

---

Cloud Storage Exfiltration

SharePoint/OneDrive Download Activity

CloudAppEvents
| where Timestamp > ago(7d)
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| where ActionType in ("FileDownloaded", "FileSyncDownloadedFull")
| summarize 
    DownloadCount = count(),
    UniqueFiles = dcount(ObjectName),
    TotalSize = sum(toint(RawEventData.FileSizeBytes)) / 1048576.0
    by AccountDisplayName, AccountObjectId, bin(Timestamp, 1d)
| where DownloadCount > 100 or TotalSize > 500
| sort by DownloadCount desc

External Sharing Detection

CloudAppEvents
| where Timestamp > ago(7d)
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| where ActionType in ("SharingSet", "AddedToSecureLink", "AnonymousLinkCreated", "SharingInvitationCreated")
| extend SharedWith = tostring(parse_json(RawEventData).TargetUserOrGroupName)
| extend FileName = tostring(ObjectName)
| where SharedWith !endswith "yourdomain.com" or isempty(SharedWith)
| project Timestamp, AccountDisplayName, ActionType, FileName, SharedWith, FolderPath = tostring(parse_json(RawEventData).ObjectId)
| sort by Timestamp desc

Anonymous Link Creation

CloudAppEvents
| where Timestamp > ago(7d)
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| where ActionType == "AnonymousLinkCreated"
| extend FileName = tostring(ObjectName)
| extend LinkScope = tostring(parse_json(RawEventData).EventData)
| project Timestamp, AccountDisplayName, FileName, LinkScope, IPAddress
| sort by Timestamp desc

Third-Party Cloud Storage Usage

CloudAppEvents
| where Timestamp > ago(7d)
| where Application in ("Dropbox", "Google Drive", "Box", "WeTransfer", "iCloud", "pCloud")
| where ActionType has_any ("upload", "create", "share")
| summarize 
    ActivityCount = count(),
    Actions = make_set(ActionType, 10),
    Files = make_set(ObjectName, 20)
    by AccountDisplayName, Application, bin(Timestamp, 1d)
| sort by ActivityCount desc

---

Email Exfiltration Detection

Large Attachments to External Recipients

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Outbound"
| where RecipientEmailAddress !endswith "yourdomain.com"
| join kind=inner (
    EmailAttachmentInfo
    | where Timestamp > ago(7d)
    | where FileSize > 5000000  // > 5MB
) on NetworkMessageId
| summarize 
    EmailCount = count(),
    TotalAttachmentSizeMB = sum(FileSize) / 1048576.0,
    Recipients = make_set(RecipientEmailAddress, 20),
    Attachments = make_set(FileName, 20)
    by SenderFromAddress, bin(Timestamp, 1d)
| where TotalAttachmentSizeMB > 50
| sort by TotalAttachmentSizeMB desc

Emails to Personal Domains

let personalDomains = dynamic(["gmail.com", "yahoo.com", "hotmail.com", "outlook.com", "aol.com", "icloud.com", "protonmail.com", "mail.com"]);
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Outbound"
| extend RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
| where RecipientDomain in (personalDomains)
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| summarize 
    EmailCount = count(),
    WithAttachments = countif(isnotempty(FileName)),
    TotalSizeMB = sum(FileSize) / 1048576.0,
    Recipients = make_set(RecipientEmailAddress, 10)
    by SenderFromAddress
| where EmailCount > 10 or WithAttachments > 5
| sort by WithAttachments desc

Password-Protected Attachments (DLP Bypass)

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".rar"
| join kind=inner (
    EmailEvents
    | where Timestamp > ago(7d)
    | where EmailDirection == "Outbound"
    | where RecipientEmailAddress !endswith "yourdomain.com"
) on NetworkMessageId
| where FileType == "zip" or tostring(ThreatTypes) has "encrypted"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, FileSize
| sort by Timestamp desc

---

Network Exfiltration Detection

Large Outbound Transfers

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where LocalIP startswith "10." or LocalIP startswith "192.168." or LocalIP startswith "172."
| summarize 
    TotalBytesSent = sum(SentBytes),
    TotalBytesReceived = sum(ReceivedBytes),
    ConnectionCount = count(),
    UniqueDestinations = dcount(RemoteIP),
    TopDestinations = make_set(RemoteIP, 10)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| extend SentMB = TotalBytesSent / 1048576.0
| where SentMB > 100
| sort by SentMB desc

Transfers to File Sharing Sites

let fileSharingSites = dynamic([
    "dropbox.com", "drive.google.com", "wetransfer.com", "sendspace.com",
    "mediafire.com", "mega.nz", "box.com", "pcloud.com", "sync.com",
    "file.io", "gofile.io", "anonfiles.com", "transfer.sh"
]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any (fileSharingSites)
| summarize 
    Connections = count(),
    TotalBytesSent = sum(SentBytes),
    Sites = make_set(RemoteUrl, 10)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName
| extend SentMB = TotalBytesSent / 1048576.0
| where SentMB > 10
| sort by SentMB desc

DNS Tunnelling Detection

DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == "DnsQueryResponse"
| extend QueryLength = strlen(RemoteUrl)
| extend Labels = countof(RemoteUrl, ".")
| where QueryLength > 50 or Labels > 5
| summarize 
    QueryCount = count(),
    AvgQueryLength = avg(QueryLength),
    MaxQueryLength = max(QueryLength),
    UniqueDomains = dcount(RemoteUrl)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h)
| where QueryCount > 100 or AvgQueryLength > 50
| sort by QueryCount desc

After-Hours Large Transfers

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| extend Hour = hourofday(Timestamp)
| extend DayOfWeek = dayofweek(Timestamp)
| where Hour < 6 or Hour > 22 or DayOfWeek in (0d, 6d)
| summarize 
    TotalBytesSent = sum(SentBytes),
    Connections = count(),
    Destinations = make_set(RemoteIP, 10)
    by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName
| extend SentMB = TotalBytesSent / 1048576.0
| where SentMB > 50
| sort by SentMB desc

---

Staging & Preparation Detection

Data Staging Directory Detection

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified", "FileCopied")
| where FolderPath has_any ("\\temp\\", "\\tmp\\", "\\staging\\", "\\export\\", "\\backup\\", "\\extract\\")
    or FolderPath matches regex @"C:\\Users\\[^\\]+\\Desktop\\[^\\]+"
| summarize 
    FileCount = count(),
    TotalSizeMB = sum(FileSize) / 1048576.0,
    FileTypes = make_set(tostring(split(FileName, ".")[-1]), 10),
    UniqueFiles = dcount(FileName)
    by DeviceName, InitiatingProcessAccountName, FolderPath
| where FileCount > 50 or TotalSizeMB > 100
| sort by TotalSizeMB desc

Compression Tool Usage

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("7z.exe", "7za.exe", "winrar.exe", "rar.exe", "winzip.exe", "zip.exe", "tar.exe")
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Compress-Archive", "ZipFile", "[System.IO.Compression"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

Database Export Tools

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("sqlcmd.exe", "bcp.exe", "mysqldump.exe", "pg_dump.exe", "mongodump.exe", "exp.exe")
    or ProcessCommandLine has_any ("SELECT * FROM", "BULK INSERT", "INTO OUTFILE", "COPY TO")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

---

DLP & Purview Alerts

DLP Policy Matches

// If using Microsoft Purview DLP
// This query structure depends on your DLP log ingestion
DlpAll
| where Timestamp > ago(7d)
| where PolicyName != ""
| summarize 
    MatchCount = count(),
    Policies = make_set(PolicyName, 10),
    Locations = make_set(Location, 10)
    by User, bin(Timestamp, 1d)
| where MatchCount > 5
| sort by MatchCount desc

Insider Risk Alerts

// If using Microsoft Purview Insider Risk Management
SecurityAlert
| where TimeGenerated > ago(7d)
| where ProviderName == "Insider Risk Management"
| project TimeGenerated, AlertName, Description, UserPrincipalName = tostring(Entities[0].Name), Severity
| sort by TimeGenerated desc

---

User Behaviour Analysis

User Data Access Baseline Comparison

// Establish baseline
let baseline = CloudAppEvents
| where Timestamp between (ago(30d) .. ago(7d))
| where ActionType in ("FileDownloaded", "FileUploaded", "FileShared")
| summarize 
    BaselineAvgDaily = count() / 23.0  // 23 days of data
    by AccountDisplayName;
// Compare recent activity
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileDownloaded", "FileUploaded", "FileShared")
| summarize 
    RecentAvgDaily = count() / 7.0
    by AccountDisplayName
| join kind=inner baseline on AccountDisplayName
| extend Deviation = (RecentAvgDaily - BaselineAvgDaily) / BaselineAvgDaily * 100
| where Deviation > 200  // More than 200% increase
| project AccountDisplayName, BaselineAvgDaily, RecentAvgDaily, DeviationPercent = round(Deviation, 2)
| sort by DeviationPercent desc

Departing Employee Monitoring

// Assuming you have a list of departing employees
let departingUsers = dynamic(["user1@domain.com", "user2@domain.com"]);
union
    (CloudAppEvents
    | where Timestamp > ago(7d)
    | where AccountDisplayName in (departingUsers)
    | where ActionType in ("FileDownloaded", "FileUploaded", "FileShared", "FileCopied")
    | project Timestamp, User = AccountDisplayName, Activity = ActionType, Details = tostring(ObjectName), Source = "CloudApp"),
    (DeviceFileEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessAccountName in (departingUsers)
    | where ActionType in ("FileCreated", "FileCopied", "FileModified")
    | project Timestamp, User = InitiatingProcessAccountName, Activity = ActionType, Details = FileName, Source = "Endpoint"),
    (EmailEvents
    | where Timestamp > ago(7d)
    | where SenderFromAddress in (departingUsers)
    | where EmailDirection == "Outbound"
    | project Timestamp, User = SenderFromAddress, Activity = "EmailSent", Details = Subject, Source = "Email")
| sort by Timestamp desc

---

Print Activity Detection

Mass Printing Detection

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PrintJobEvent"
| extend DocumentName = tostring(parse_json(AdditionalFields).DocumentName)
| extend PrinterName = tostring(parse_json(AdditionalFields).PrinterName)
| extend PageCount = toint(parse_json(AdditionalFields).PageCount)
| summarize 
    PrintJobs = count(),
    TotalPages = sum(PageCount),
    UniqueDocuments = dcount(DocumentName),
    Printers = make_set(PrinterName, 5)
    by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1d)
| where TotalPages > 100 or UniqueDocuments > 20
| sort by TotalPages desc

Sensitive Document Printing

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PrintJobEvent"
| extend DocumentName = tostring(parse_json(AdditionalFields).DocumentName)
| where DocumentName has_any ("confidential", "secret", "restricted", "sensitive", "proprietary", "internal only")
| extend PrinterName = tostring(parse_json(AdditionalFields).PrinterName)
| project Timestamp, DeviceName, InitiatingProcessAccountName, DocumentName, PrinterName
| sort by Timestamp desc

---

Response Actions & Remediation

Immediate Containment Actions

Scenario	Action	Method
Active Exfiltration Detected	Block network access	Prisma Access / Firewall
Insider Threat Confirmed	Disable account	Entra ID + AD
USB Exfiltration	Block USB ports	MDE device policy
Cloud Sharing Active	Revoke sharing permissions	SharePoint Admin
Email Exfiltration	Block outbound email	Exchange transport rule
Compromised Account	Reset credentials, revoke sessions	Entra ID
Malware-Based Exfil	Isolate endpoint	MDE device isolation

Account Containment

# Disable Entra ID account
Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false

# Revoke all sessions
Revoke-MgUserSignInSession -UserId "user@domain.com"

# Block sign-in (Conditional Access)
# Create CA policy blocking specific user

# Disable on-premises AD account
Disable-ADAccount -Identity "username"

Data Access Revocation

# Connect to SharePoint Online
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com

# Remove all sharing for a specific file/folder
# (Requires specific file/site context)

# Revoke anonymous links
# Via SharePoint Admin Center or PowerShell

# Remove external sharing for user's OneDrive
Set-SPOSite -Identity "https://yourtenant-my.sharepoint.com/personal/user_domain_com" -SharingCapability Disabled

Email Containment

# Block user from sending email
Set-Mailbox -Identity "user@domain.com" -MessageCopyForSentAsEnabled $false
Set-TransportRule -Name "Block User Outbound" -From "user@domain.com" -DeleteMessage $true

# Remove forwarding
Set-Mailbox -Identity "user@domain.com" -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false

# Remove inbox rules
Get-InboxRule -Mailbox "user@domain.com" | Remove-InboxRule -Confirm:$false

Endpoint Containment

# Block USB via Intune/MDE
# Configure Device Control policies in MDE

# Isolate device via MDE
# Via Security Center portal or API

# Block network access
# Via Prisma Access / Firewall rules

Evidence Preservation

Critical Evidence to Preserve

Evidence Type	Source	Retention
File access logs	MDE, SharePoint, OneDrive	Export immediately
Network logs	Prisma Access, MDE	Export immediately
Email logs	Exchange, MDO	Export/hold
Sign-in logs	Entra ID	Export immediately
Audit logs	Unified Audit Log	Export immediately
Endpoint forensics	MDE Live Response	Collect if needed
DLP alerts	Purview	Document

Evidence Collection Script

# Create evidence directory
$evidencePath = "C:\IR_Exfil_Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $evidencePath -Force

# Export Unified Audit Log
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date
$userId = "suspect@domain.com"

Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $userId -ResultSize 5000 |
    Export-Csv "$evidencePath\UnifiedAuditLog.csv" -NoTypeInformation

# Export sign-in logs (via Graph)
$signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 1000
$signIns | Export-Csv "$evidencePath\SignInLogs.csv" -NoTypeInformation

# Export mailbox audit log
Search-MailboxAuditLog -Identity $userId -StartDate $startDate -EndDate $endDate -ShowDetails |
    Export-Csv "$evidencePath\MailboxAuditLog.csv" -NoTypeInformation

# Compress evidence
Compress-Archive -Path $evidencePath -DestinationPath "$evidencePath.zip" -Force

Write-Host "Evidence collected to: $evidencePath.zip"

---

Quick Reference Cards

Exfiltration Indicator Checklist

File Activity Red Flags

• [ ] Mass file access (>100 files/hour)

• [ ] Access to files outside normal scope

• [ ] Archive creation (ZIP, RAR, 7z)

• [ ] Large archives (>100MB)

• [ ] File access during off-hours

• [ ] Access spike before leaving

• [ ] Renamed file extensions

• [ ] Access to backup/export folders

Network Red Flags

• [ ] Large outbound transfers (>100MB)

• [ ] Transfers to file sharing sites

• [ ] Non-standard port usage

• [ ] DNS query anomalies (length, volume)

• [ ] Encrypted traffic to unknown IPs

• [ ] After-hours data transfers

• [ ] Traffic to paste sites

• [ ] C2-like beaconing patterns

Email Red Flags

• [ ] Large attachments to external

• [ ] Emails to personal accounts

• [ ] Password-protected attachments

• [ ] Bulk external emails

• [ ] Forwarding rules to external

• [ ] Unusual attachment types

• [ ] Emails to competitors

Cloud Storage Red Flags

• [ ] Bulk downloads from SharePoint

• [ ] External sharing of sensitive files

• [ ] Anonymous link creation

• [ ] Sync to unmanaged devices

• [ ] Personal cloud app usage

• [ ] Third-party OAuth access

• [ ] Sharing with personal accounts

Endpoint Red Flags

• [ ] USB device connections

• [ ] Files copied to removable media

• [ ] Mass printing

• [ ] Bluetooth transfers

• [ ] Screen capture tools

• [ ] Clipboard history abuse

• [ ] Screenshot of sensitive data

Data Classification Quick Reference

Classification	Examples	Handling
Public	Marketing materials, press releases	No restrictions
Internal	General business docs, policies	Internal only
Confidential	Financial reports, contracts	Need-to-know
Restricted	PII, PHI, trade secrets	Strict controls
Top Secret	M&A, strategic plans	Executive only

Common Exfiltration Tools

Tool	Type	Indicators
rclone	Cloud sync	rclone.exe, config files
WinSCP	SFTP/SCP	winscp.exe, .ini files
FileZilla	FTP	filezilla.exe, sitemanager.xml
MegaSync	Cloud	megasync.exe
Dropbox	Cloud sync	Dropbox.exe
Google Drive	Cloud sync	googledrivesync.exe
curl/wget	HTTP transfer	curl.exe, wget.exe
PowerShell	Various	Invoke-WebRequest, Upload
certutil	Encode/Decode	-encode, -decode flags
bitsadmin	Download	/transfer command

Regulatory Considerations

Data Type	Regulations	Notification Requirements
PII (US)	State breach laws	Varies by state (typically 30-60 days)
PII (EU)	GDPR	72 hours to authority
PHI	HIPAA	60 days
Financial	GLBA, SOX	Varies
PCI	PCI-DSS	Varies by contract
Government	FISMA, FedRAMP	Immediate to 24 hours

---

Escalation Matrix

Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Active exfiltration of critical data, confirmed insider threat, ransomware exfil before encryption	Immediate - 15 min
🟠 High	Large data transfer detected, sensitive data exposed externally, departing employee with data	30 min - 1 hour
🟡 Medium	DLP policy violations, unusual access patterns, potential data staging	4 hours
🟢 Low	Minor policy violations, blocked exfil attempts, awareness issues	Next business day

Escalation Triggers

Condition	Escalation Level
Confirmed exfil of restricted data	DFIR + Legal + CISO
PII/PHI data exposed	DFIR + Legal + Privacy Officer
Intellectual property theft	DFIR + Legal + Business Owner
Active insider threat	DFIR + HR + Legal
Ransomware exfiltration	DFIR + CISO + Leadership
Customer data exposed	DFIR + Legal + Customer Success
>1GB confirmed exfiltrated	Tier 2 SOC + DFIR
Regulatory data involved	Legal + Compliance + Privacy

External Notifications

Scenario	Notify	Timeline
PII breach (US)	State AG offices	Per state law (30-60 days typical)
PII breach (EU)	Data Protection Authority	72 hours
PHI breach	HHS OCR	60 days (or 60 days for <500 individuals)
PCI breach	Card brands, acquirer	Immediately
Government data	Relevant agency	Per contract/regulation
Cyber insurance	Carrier	Per policy (usually 24-72 hours)

---

MITRE ATT&CK Mapping

Exfiltration (TA0010)

Technique	ID	Description	Detection
Exfiltration Over C2 Channel	T1041	Using existing C2	DeviceNetworkEvents, C2 patterns
Exfiltration Over Alternative Protocol	T1048	DNS, ICMP tunneling	DeviceNetworkEvents, DNS logs
Exfiltration Over Web Service	T1567	Cloud storage upload	CloudAppEvents
Exfiltration Over Web Service: Cloud Storage	T1567.002	Dropbox, Google Drive, etc.	CloudAppEvents, DeviceNetworkEvents
Exfiltration Over Physical Medium	T1052	USB, external drives	DeviceEvents (PnP)
Automated Exfiltration	T1020	Scripted data theft	DeviceProcessEvents
Scheduled Transfer	T1029	Timed exfiltration	DeviceNetworkEvents (time analysis)
Data Transfer Size Limits	T1030	Chunking data	DeviceNetworkEvents (patterns)
Transfer Data to Cloud Account	T1537	To attacker cloud	CloudAppEvents

Collection (TA0009) - Pre-Exfiltration

Technique	ID	Description	Detection
Archive Collected Data	T1560	ZIP, RAR creation	DeviceFileEvents, DeviceProcessEvents
Archive via Utility	T1560.001	Using compression tools	DeviceProcessEvents
Archive via Library	T1560.002	Programmatic compression	DeviceProcessEvents
Data from Local System	T1005	Local file collection	DeviceFileEvents
Data from Network Shared Drive	T1039	Shared drive access	DeviceFileEvents, Event 5140
Data from Cloud Storage	T1530	Cloud data collection	CloudAppEvents
Data Staged: Local Staging	T1074.001	Staging before exfil	DeviceFileEvents
Data Staged: Remote Staging	T1074.002	Remote staging	DeviceFileEvents
Email Collection	T1114	Collecting email data	OfficeActivity
Screen Capture	T1113	Screenshots	DeviceProcessEvents
Clipboard Data	T1115	Clipboard content	DeviceEvents

Related Techniques

Tactic	Technique	ID	Relevance
Defense Evasion	Obfuscated Files	T1027	Encrypting before exfil
Defense Evasion	Indicator Removal	T1070	Deleting evidence
Impact	Data Encrypted for Impact	T1486	Ransomware with exfil

---

Appendix: Investigation Commands

File Access Analysis

# Get recent file access by user (requires auditing enabled)
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4663
} -MaxEvents 1000 | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Object = $_.Properties[6].Value
        AccessMask = $_.Properties[8].Value
        Process = $_.Properties[11].Value
    }
} | Where-Object {$_.User -eq "DOMAIN\username"}

# Find large files created recently
Get-ChildItem -Path C:\Users -Recurse -File -ErrorAction SilentlyContinue |
    Where-Object {$_.Length -gt 100MB -and $_.CreationTime -gt (Get-Date).AddDays(-7)} |
    Select-Object FullName, @{N='SizeMB';E={$_.Length/1MB}}, CreationTime |
    Sort-Object SizeMB -Descending

# Find archive files
Get-ChildItem -Path C:\Users -Recurse -Include *.zip,*.rar,*.7z -ErrorAction SilentlyContinue |
    Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)} |
    Select-Object FullName, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}}, CreationTime

Network Transfer Analysis

# Get network connections with high data transfer
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'} |
    ForEach-Object {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            LocalAddress = $_.LocalAddress
            LocalPort = $_.LocalPort
            RemoteAddress = $_.RemoteAddress
            RemotePort = $_.RemotePort
            ProcessName = $proc.Name
            ProcessPath = $proc.Path
        }
    } | Where-Object {$_.RemoteAddress -notmatch "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"}

# Check DNS client cache for suspicious domains
Get-DnsClientCache | Where-Object {$_.Entry -notmatch "\.(microsoft|windows|office|azure)\.com$"} |
    Select-Object Entry, Data, TimeToLive

Cloud Activity Analysis

# Using Microsoft Graph to get sign-in activity
Connect-MgGraph -Scopes "AuditLog.Read.All"

$userId = "user@domain.com"
$signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 100

$signIns | Select-Object CreatedDateTime, AppDisplayName, IpAddress, 
    @{N='Location';E={"$($_.Location.City), $($_.Location.CountryOrRegion)"}},
    @{N='Device';E={$_.DeviceDetail.DisplayName}},
    Status

# Get user's OAuth app consents
$user = Get-MgUser -UserId $userId
Get-MgUserOauth2PermissionGrant -UserId $user.Id | ForEach-Object {
    $app = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId
    [PSCustomObject]@{
        AppName = $app.DisplayName
        Scopes = $_.Scope
        ConsentType = $_.ConsentType
    }
}

Email Analysis

# Connect to Exchange Online
Connect-ExchangeOnline

# Get outbound emails with attachments
$startDate = (Get-Date).AddDays(-7)
$endDate = Get-Date
$sender = "user@domain.com"

Get-MessageTrace -SenderAddress $sender -StartDate $startDate -EndDate $endDate |
    Where-Object {$_.ToIP -ne $null} |
    Select-Object Received, Subject, RecipientAddress, Size, Status

# Check for forwarding rules
Get-InboxRule -Mailbox "user@domain.com" | 
    Where-Object {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo} |
    Select-Object Name, ForwardTo, ForwardAsAttachmentTo, RedirectTo, Enabled

# Check mailbox forwarding
Get-Mailbox -Identity "user@domain.com" | 
    Select-Object ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward

USB/Removable Media Analysis

# Get USB device history from registry
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" |
    Select-Object FriendlyName, ContainerID, @{N='LastConnected';E={
        $_.PSPath -match 'USBSTOR\\(.+)\\(.+)$'
        $deviceId = $Matches[2]
        $lastWrite = (Get-Item "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$($Matches[1])\$deviceId").LastWriteTime
        $lastWrite
    }}

# Get recent removable drive events from event log
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
    ID = 2003, 2100, 2101
} -MaxEvents 50 -ErrorAction SilentlyContinue |
    Select-Object TimeCreated, Message

Comprehensive User Activity Export

# Comprehensive user activity collection for investigation
$userId = "suspect@domain.com"
$outputPath = "C:\Investigation_$($userId.Replace('@','_').Replace('.','_'))_$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path $outputPath -Force

# Export Unified Audit Log
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

Write-Host "Exporting Unified Audit Log..."
$auditLogs = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $userId -ResultSize 5000
$auditLogs | Export-Csv "$outputPath\UnifiedAuditLog.csv" -NoTypeInformation

Write-Host "Exporting Sign-In Logs..."
Connect-MgGraph -Scopes "AuditLog.Read.All" -NoWelcome
$signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 1000
$signIns | Export-Csv "$outputPath\SignInLogs.csv" -NoTypeInformation

Write-Host "Exporting Email Activity..."
Connect-ExchangeOnline -ShowBanner:$false
$messages = Get-MessageTrace -SenderAddress $userId -StartDate $startDate -EndDate $endDate
$messages | Export-Csv "$outputPath\SentEmails.csv" -NoTypeInformation

$received = Get-MessageTrace -RecipientAddress $userId -StartDate $startDate -EndDate $endDate
$received | Export-Csv "$outputPath\ReceivedEmails.csv" -NoTypeInformation

Write-Host "Exporting Inbox Rules..."
$rules = Get-InboxRule -Mailbox $userId
$rules | Export-Csv "$outputPath\InboxRules.csv" -NoTypeInformation

Write-Host "Exporting Mailbox Configuration..."
$mailbox = Get-Mailbox -Identity $userId
$mailbox | Select-Object * | Export-Csv "$outputPath\MailboxConfig.csv" -NoTypeInformation

Write-Host "Creating summary..."
$summary = @"
Investigation Summary
=====================
User: $userId
Export Date: $(Get-Date)
Date Range: $startDate to $endDate

Files Exported:
- UnifiedAuditLog.csv: $($auditLogs.Count) records
- SignInLogs.csv: $($signIns.Count) records
- SentEmails.csv: $($messages.Count) records
- ReceivedEmails.csv: $($received.Count) records
- InboxRules.csv: $($rules.Count) records
- MailboxConfig.csv: Mailbox configuration

Notes:
- Review for unusual activity patterns
- Check sign-in locations and devices
- Review email recipients and attachments
- Check inbox rules for forwarding
"@
$summary | Out-File "$outputPath\Summary.txt"

Write-Host "Compressing evidence..."
Compress-Archive -Path $outputPath -DestinationPath "$outputPath.zip" -Force

Write-Host "Evidence collection complete: $outputPath.zip"

---

Prevention & Hardening

DLP Policy Recommendations

Policy	Scope	Action
Credit Card Numbers	Email, SharePoint, Endpoints	Block external sharing, notify
SSN/National ID	All locations	Block external, alert SOC
Health Records (PHI)	All locations	Block external, encrypt
Source Code	Endpoints, Cloud	Block USB, alert on cloud upload
Financial Reports	SharePoint, Email	Block external sharing
Customer PII	All locations	Block external, log all access

Endpoint Controls

Control	Purpose	Implementation
USB Blocking	Prevent removable media exfil	MDE Device Control
Cloud App Control	Block unsanctioned apps	MDCA + Prisma Access
Print Restrictions	Prevent print exfil	GPO / Intune
Clipboard Control	Prevent copy/paste	Application Guard
Screen Capture Block	Prevent screenshots	Information Protection

Network Controls

Control	Purpose	Implementation
Egress Filtering	Block unauthorized transfers	Prisma Access
Category Blocking	Block file sharing sites	URL Filtering
Data Transfer Limits	Alert on large uploads	Network monitoring
DNS Monitoring	Detect tunneling	DNS security
SSL Inspection	Visibility into encrypted traffic	Prisma Access

---

🔒 Critical Reminder: Data exfiltration investigations often have legal, HR, and regulatory implications. Always coordinate with Legal and HR before taking action on insider threat cases. Preserve evidence meticulously with documented chain of custody. Be aware of privacy regulations that may affect investigation methods in different jurisdictions. Time is critical—once data leaves the organization, recovery may be impossible.