# Data Exfiltration Investigation Runbook ## SOC & DFIR Operations Guide **Environment:** Windows AD | Microsoft 365 | Defender XDR | Sentinel | Entra ID | Palo Alto Prisma Access. *** ## Overview & Scope This runbook provides standardised procedures for investigating data exfiltration attacks across the hybrid enterprise environment. Data exfiltration is a critical phase in the attack lifecycle where adversaries steal sensitive data from the organisation, often representing the primary objective of sophisticated attacks. ### What is Data Exfiltration? Data exfiltration (also known as data theft, data extrusion, or data leakage) is the unauthorised transfer of data from an organisation. It can be performed by external threat actors who have compromised the environment or by malicious insiders abusing their legitimate access. **Key Considerations:** * Exfiltration is often the final stage before an attack is discovered * Data theft may occur over extended periods (low and slow) * Ransomware actors increasingly exfiltrate before encrypting (double extortion) * Insider threats may use legitimate tools and access * Cloud services create new exfiltration vectors ### Data at Risk Categories

Category	Examples	Sensitivity
Personally Identifiable Information (PII)	SSN, addresses, phone numbers, DOB	High
Protected Health Information (PHI)	Medical records, insurance data	Critical
Financial Data	Credit cards, bank accounts, financial reports	Critical
Intellectual Property	Source code, patents, trade secrets, designs	Critical
Customer Data	Customer lists, contracts, communications	High
Employee Data	HR records, salaries, performance reviews	High
Authentication Data	Passwords, keys, certificates, tokens	Critical
Strategic Information	M&A plans, business strategies, pricing	High
Legal/Compliance	Legal holds, audit data, compliance reports	High

### Exfiltration Methods #### By Channel

Channel	Description	Detection Difficulty
Network (Unencrypted)	HTTP, FTP, SMB to external	Low
Network (Encrypted)	HTTPS, SFTP, encrypted tunnels	Medium-High
Email	Attachments, body content	Low-Medium
Cloud Storage	OneDrive, Dropbox, Google Drive, etc.	Medium
Removable Media	USB drives, external HDD	Medium
Physical	Printed documents, photos of screens	High
Covert Channels	DNS tunneling, steganography, ICMP	High
Application-Based	Messaging apps, file sharing apps	Medium

#### By Technique

Technique	Description	MITRE ID
Exfiltration Over C2	Using existing C2 channel	T1041
Exfiltration Over Web Service	Cloud storage, paste sites	T1567
Exfiltration Over Alternative Protocol	DNS, ICMP, non-standard ports	T1048
Automated Exfiltration	Scheduled/triggered data theft	T1020
Data Transfer Size Limits	Chunking to avoid detection	T1030
Scheduled Transfer	Off-hours to avoid detection	T1029
Exfiltration Over Physical Medium	USB, external drives	T1052
Exfiltration Over Bluetooth	Wireless data transfer	T1011.001

#### By Actor Type

Actor	Motivation	Typical Methods
External Threat Actor	Espionage, extortion, sale	C2, cloud upload, encrypted
Ransomware Operator	Double extortion leverage	Bulk transfer, cloud upload
Nation-State	Intelligence gathering	Low and slow, covert channels
Malicious Insider	Financial gain, revenge	Email, USB, cloud sync
Negligent Insider	Convenience, lack of awareness	Email, personal cloud
Departing Employee	Taking work, competitive advantage	USB, personal email, cloud

### Data Exfiltration Lifecycle ```bash 1. Target Identification └── Identify valuable data locations, access methods 2. Access & Collection ├── Access file shares, databases, cloud storage ├── Search for sensitive content └── Stage data for exfiltration 3. Preparation ├── Compress/archive data ├── Encrypt to avoid DLP └── Split into smaller chunks 4. Exfiltration ├── Transfer via chosen channel ├── May occur over extended period └── Often during off-hours 5. Covering Tracks ├── Delete staging files ├── Clear logs └── Remove access artifacts ``` *** ## Detection Sources & Data Mapping ### Log Sources Matrix

Platform	Log Table	Exfiltration-Relevant Data
Defender for Endpoint	`DeviceFileEvents`	File access, copy, archive creation
Defender for Endpoint	`DeviceNetworkEvents`	Outbound transfers, DNS queries
Defender for Endpoint	`DeviceEvents`	USB activity, Bluetooth, print
Defender for Endpoint	`DeviceProcessEvents`	Compression tools, exfil utilities
Cloud Apps	`CloudAppEvents`	Cloud storage uploads, sharing
Exchange Online	`EmailEvents`, `EmailAttachmentInfo`	Email with attachments
SharePoint/OneDrive	`OfficeActivity`	Downloads, sharing, sync
Purview	`DlpAll`	DLP policy matches
Purview	`InsiderRiskManagement`	Insider risk alerts
Sentinel	`AzureActivity`	Azure resource data access
Sentinel	`ThreatIntelligenceIndicator`	Known exfil infrastructure
Prisma Access	`PaloAltoPrismaAccess`	Network transfers, URL categories
Entra ID	`SigninLogs`, `AuditLogs`	Application access patterns

### Critical Event Categories #### File Operations | Event Type | Description | Risk Indicator | | -------------------------------- | ---------------------------- | ------------------------------- | | **Mass file access** | Bulk file opens/reads | High volume in short time | | **Archive creation** | ZIP, RAR, 7z creation | Large archives, sensitive paths | | **File copy to removable** | Copy to USB/external | Any sensitive data | | **File rename/extension change** | Disguising files | Hiding data type | | **Sensitive file access** | Labeled/classified files | Unusual accessor or volume | | **File download from cloud** | SharePoint/OneDrive download | Bulk downloads | #### Network Activity | Event Type | Description | Risk Indicator | | ----------------------------- | ------------------------ | ------------------------------ | | **Large outbound transfers** | High upload volume | Unusual destination | | **Transfers to file sharing** | Cloud storage uploads | Personal accounts | | **DNS tunneling** | Data in DNS queries | High volume, long queries | | **Non-standard ports** | Data on unusual ports | Encrypted traffic on odd ports | | **Known bad destinations** | C2, paste sites | Threat intel matches | | **After-hours transfers** | Off-peak large transfers | Unusual for user | #### Email Activity | Event Type | Description | Risk Indicator | | --------------------------- | ------------------------ | ------------------------ | | **Large attachments** | Files over threshold | Unusual for sender | | **Sensitive attachments** | Labeled files attached | External recipients | | **Personal email forwards** | Forwarding to personal | Any corporate data | | **Bulk email to external** | Many external recipients | Data in body/attachments | | **Encrypted attachments** | Password-protected files | Avoiding DLP | #### Cloud Activity | Event Type | Description | Risk Indicator | | --------------------------- | ------------------------- | --------------------- | | **External sharing** | Sharing with outside org | Sensitive content | | **Anonymous links** | Anyone with link access | Sensitive files | | **Sync to personal device** | OneDrive/SharePoint sync | Unmanaged devices | | **Third-party app access** | OAuth apps accessing data | Excessive permissions | | **Bulk downloads** | Mass file downloads | Unusual volume | ### Windows Event IDs

Event ID	Log	Description	Relevance
4663	Security	Object access attempt	File access tracking
4656	Security	Handle to object requested	File access audit
4658	Security	Handle closed	File operation complete
4660	Security	Object deleted	Evidence destruction
4670	Security	Permissions changed	Access modification
5140	Security	Network share accessed	Share enumeration
5145	Security	Share object access check	File share access
6416	Security	External device recognized	USB detection
4688	Security	Process creation	Archive tools
307	PrintService	Document printed	Print exfiltration

*** ## Investigation Workflows ### General Data Exfiltration Investigation **Objective:** Identify, scope, and contain data exfiltration, determine what data was stolen, and assess impact. #### Step 1: Initial Triage 1. Identify the alert source (DLP, UEBA, network, endpoint) 2. Determine the user/account involved 3. Identify the data type/sensitivity flagged 4. Check for related alerts or incidents 5. Assess initial scope and urgency #### Step 2: User Context Analysis 1. Review user's role and normal data access 2. Check employment status (departing, notice period) 3. Review recent HR flags or performance issues 4. Identify if user has legitimate business need 5. Check for prior security incidents #### Step 3: Activity Timeline Construction 1. Query all data access for user (7-30 days) 2. Identify anomalous access patterns 3. Document file types and sensitivity 4. Map access to exfiltration attempts 5. Correlate with authentication events #### Step 4: Exfiltration Channel Identification 1. Review network connections and transfers 2. Check email for attachments/forwards 3. Review cloud storage activity 4. Check for removable media usage 5. Review print activity #### Step 5: Data Impact Assessment 1. Identify all data potentially exfiltrated 2. Classify data by sensitivity level 3. Determine regulatory implications (PII, PHI, PCI) 4. Assess business impact 5. Document for legal/compliance #### Step 6: Scope Expansion 1. Check for similar activity by other users 2. Search for data on known bad destinations 3. Review shared infrastructure/access 4. Check for accomplices or shared accounts 5. Assess if part of larger compromise *** ### Cloud Storage Exfiltration Investigation **Objective:** Investigate data theft via cloud storage services (OneDrive, SharePoint, Dropbox, Google Drive, etc.). #### Detection Indicators * Large volume file downloads from SharePoint/OneDrive * Syncing to unmanaged/personal devices * External sharing of sensitive files * Anonymous link creation for sensitive content * Personal cloud storage app usage * Bulk downloads before account changes #### Investigation Steps 1. **Identify Cloud Activity** * Query CloudAppEvents for upload/download activity * Check OfficeActivity for SharePoint/OneDrive operations * Review Shadow IT usage via MDCA * Identify personal vs. corporate accounts 2. **Analyse Access Patterns** * Compare to baseline access behaviour * Check for bulk operations * Identify accessed file sensitivity * Review timing (off-hours, last day) 3. **External Sharing Review** * List all external shares by user * Check for anonymous links created * Review share recipients * Identify sensitive content shared 4. **Sync Activity Analysis** * Check for OneDrive sync to personal devices * Review device registration status * Identify unmanaged device syncs * Check for selective sync of sensitive folders 5. **Third-Party Cloud Apps** * Review OAuth app authorisations * Check for data access by apps * Identify personal cloud storage apps * Review MDCA sanctioned/unsanctioned apps *** ### Email-Based Exfiltration Investigation **Objective:** Investigate data theft via email attachments or body content. #### Detection Indicators * Emails with large attachments to external recipients * Sensitive files attached to personal email * Password-protected attachments (DLP bypass) * Bulk email to external addresses * Auto-forward rules to external addresses * Email to known personal accounts #### Investigation Steps 1. **Email Pattern Analysis** * Query EmailEvents for external sends * Review attachment sizes and types * Check for DLP policy matches * Identify unusual recipients 2. **Attachment Analysis** * Review EmailAttachmentInfo for details * Check file types and names * Identify sensitive content indicators * Review if encrypted/password-protected 3. **Forwarding Rules Review** * Check for inbox rules forwarding externally * Review mailbox forwarding configuration * Identify delegates with forward permissions * Check mobile device forwarding 4. **Recipient Analysis** * Categorise recipients (personal, competitor, unknown) * Check for first-time recipients * Review recipient domains * Identify patterns in recipients *** ### Endpoint-Based Exfiltration Investigation **Objective:** Investigate data theft via endpoint methods (USB, Bluetooth, print, local storage). #### Detection Indicators * USB device connections * Large file copies to removable media * Bluetooth file transfers * Mass printing activity * Archive creation with sensitive files * Airdrop or similar local transfers #### Investigation Steps 1. **Removable Media Analysis** * Query DeviceEvents for USB connections * Identify device types and serial numbers * Review files copied to devices * Check for encrypted transfers 2. **Archive/Compression Activity** * Query for ZIP, RAR, 7z creation * Review archive contents if available * Check source directories * Identify password protection 3. **Print Activity** * Query print logs for document printing * Identify sensitive documents printed * Review print volume anomalies * Check print-to-file activity 4. **Local Transfer Methods** * Check for Bluetooth transfers * Review network sharing activity * Check for Airdrop (if applicable) * Review cloud sync client activity *** ### Network-Based Exfiltration Investigation **Objective:** Investigate data theft via network channels, including C2, web uploads, and covert channels. #### Detection Indicators * Large outbound data transfers * Transfers to unknown or suspicious IPs * Non-standard port usage * DNS tunnelling patterns * ICMP data transfer * Encrypted traffic to unusual destinations #### Investigation Steps 1. **Traffic Volume Analysis** * Query DeviceNetworkEvents for large transfers * Identify top talkers (bytes out) * Compare to baseline network usage * Check for sustained vs. burst transfers 2. **Destination Analysis** * Review destination IPs and domains * Check threat intelligence for IOCs * Identify known file sharing sites * Review geographic anomalies 3. **Protocol Analysis** * Check for non-standard ports * Review encrypted traffic destinations * Identify potential tunnelling (DNS, ICMP) * Check for C2 pattern indicators 4. **Prisma Access Analysis** * Review URL filtering logs * Check for file sharing categories * Identify blocked upload attempts * Review data transfer by application *** ### Insider Threat Investigation **Objective:** Investigate potential malicious insider data theft with sensitivity to HR and legal requirements. #### Pre-Investigation Considerations > ⚠️ **Important:** Insider threat investigations are sensitive. Before proceeding: > > * Coordinate with HR and Legal > * Follow established insider threat procedures > * Maintain confidentiality > * Document chain of custody > * Consider union/works council requirements #### Risk Indicators | Indicator | Category | Weight | | -------------------------- | ---------- | ---------- | | Resignation submitted | Employment | High | | Performance issues | HR | Medium | | Passed over for promotion | HR | Medium | | Working unusual hours | Behavioral | Low-Medium | | Excessive data access | Technical | High | | USB usage increase | Technical | Medium | | Email to personal accounts | Technical | High | | Accessing unrelated data | Technical | High | #### Investigation Steps 1. **Context Gathering** * Coordinate with HR on employment status * Review role and normal data access needs * Check for known grievances or issues * Identify access to sensitive data 2. **Behavioral Analysis** * Compare recent activity to baseline * Identify access pattern changes * Review login times and locations * Check for policy violations 3. **Data Access Review** * Query all file access (extended timeline) * Identify access outside normal scope * Review search queries if available * Check for bulk download patterns 4. **Exfiltration Channel Review** * Check all potential exfil channels * Review email to personal addresses * Check USB and removable media * Review cloud storage activity * Check print logs 5. **Evidence Preservation** * Preserve logs with timestamps * Document findings thoroughly * Maintain chain of custody * Prepare for potential legal action *** ## KQL Query Cheat Sheet ### File Access Analysis #### Mass File Access Detection {% code overflow="wrap" %} ```kusto DeviceFileEvents | where Timestamp > ago(24h) | where ActionType in ("FileRead", "FileOpen", "FileCopied") | summarize FileCount = count(), UniqueFiles = dcount(FileName), UniqueFolders = dcount(FolderPath), SensitiveFiles = countif(FolderPath has_any ("confidential", "secret", "hr", "finance", "legal")) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1h) | where FileCount > 100 or SensitiveFiles > 10 | sort by FileCount desc ``` {% endcode %} #### Sensitive File Access by Unusual Users {% code overflow="wrap" %} ```kusto let sensitiveLocations = dynamic(["\\HR\\", "\\Finance\\", "\\Legal\\", "\\Executive\\", "\\Confidential\\", "\\Secret\\"]); let baseline = DeviceFileEvents | where Timestamp between (ago(30d) .. ago(1d)) | where FolderPath has_any (sensitiveLocations) | summarize by InitiatingProcessAccountName, FolderPath; DeviceFileEvents | where Timestamp > ago(1d) | where FolderPath has_any (sensitiveLocations) | join kind=leftanti baseline on InitiatingProcessAccountName, FolderPath | summarize AccessCount = count(), Files = make_set(FileName, 20), Folders = make_set(FolderPath, 10) by InitiatingProcessAccountName, DeviceName | sort by AccessCount desc ``` {% endcode %} #### Archive Creation with Sensitive Files {% code overflow="wrap" %} ```kusto DeviceFileEvents | where Timestamp > ago(7d) | where ActionType == "FileCreated" | where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z" | extend FileSizeMB = FileSize / 1048576.0 | where FileSizeMB > 50 // Large archives | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FileSizeMB, FolderPath | join kind=leftouter ( DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("7z.exe", "winrar.exe", "winzip.exe", "powershell.exe", "tar.exe") | where ProcessCommandLine has_any (".zip", ".rar", ".7z", "Compress-Archive") | project ArchiveTime = Timestamp, DeviceName, ArchiveCommand = ProcessCommandLine ) on DeviceName | where abs(datetime_diff('minute', Timestamp, ArchiveTime)) < 5 | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FileSizeMB, ArchiveCommand ``` {% endcode %} #### File Copy to External Paths {% code overflow="wrap" %} ```kusto DeviceFileEvents | where Timestamp > ago(24h) | where ActionType in ("FileCreated", "FileModified", "FileCopied") | where FolderPath matches regex @"^[A-Z]:\\" and FolderPath !startswith "C:\\" // Non-C: drives or FolderPath startswith "\\\\" // Network paths or FolderPath has_any ("usb", "removable", "external") | summarize CopyCount = count(), TotalSizeMB = sum(FileSize) / 1048576.0, Files = make_set(FileName, 20) by DeviceName, InitiatingProcessAccountName, FolderPath | where CopyCount > 10 or TotalSizeMB > 100 | sort by TotalSizeMB desc ``` {% endcode %} *** ### USB/Removable Media Detection #### USB Device Connections ```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "PnpDeviceConnected" | extend DeviceDescription = tostring(parse_json(AdditionalFields).DeviceDescription) | extend DeviceId = tostring(parse_json(AdditionalFields).DeviceId) | where DeviceDescription has_any ("USB", "Mass Storage", "Removable") | summarize ConnectionCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Devices = make_set(DeviceDescription, 10) by DeviceName, InitiatingProcessAccountName | sort by ConnectionCount desc ``` #### Files Written to Removable Media ```kusto DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated", "FileModified") | where FolderPath matches regex @"^[D-Z]:\\" // Non-C: drives (potential USB) | where FolderPath !has "Program Files" and FolderPath !has "Windows" | summarize FileCount = count(), TotalSizeMB = sum(FileSize) / 1048576.0, FileTypes = make_set(tostring(split(FileName, ".")[-1]), 20) by DeviceName, InitiatingProcessAccountName, FolderPath | where FileCount > 20 or TotalSizeMB > 100 | sort by TotalSizeMB desc ``` *** ### Cloud Storage Exfiltration #### SharePoint/OneDrive Download Activity {% code overflow="wrap" %} ```kusto CloudAppEvents | where Timestamp > ago(7d) | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business") | where ActionType in ("FileDownloaded", "FileSyncDownloadedFull") | summarize DownloadCount = count(), UniqueFiles = dcount(ObjectName), TotalSize = sum(toint(RawEventData.FileSizeBytes)) / 1048576.0 by AccountDisplayName, AccountObjectId, bin(Timestamp, 1d) | where DownloadCount > 100 or TotalSize > 500 | sort by DownloadCount desc ``` {% endcode %} #### External Sharing Detection {% code overflow="wrap" %} ```kusto CloudAppEvents | where Timestamp > ago(7d) | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business") | where ActionType in ("SharingSet", "AddedToSecureLink", "AnonymousLinkCreated", "SharingInvitationCreated") | extend SharedWith = tostring(parse_json(RawEventData).TargetUserOrGroupName) | extend FileName = tostring(ObjectName) | where SharedWith !endswith "yourdomain.com" or isempty(SharedWith) | project Timestamp, AccountDisplayName, ActionType, FileName, SharedWith, FolderPath = tostring(parse_json(RawEventData).ObjectId) | sort by Timestamp desc ``` {% endcode %} #### Anonymous Link Creation {% code overflow="wrap" %} ```kusto CloudAppEvents | where Timestamp > ago(7d) | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business") | where ActionType == "AnonymousLinkCreated" | extend FileName = tostring(ObjectName) | extend LinkScope = tostring(parse_json(RawEventData).EventData) | project Timestamp, AccountDisplayName, FileName, LinkScope, IPAddress | sort by Timestamp desc ``` {% endcode %} #### Third-Party Cloud Storage Usage {% code overflow="wrap" %} ```kusto CloudAppEvents | where Timestamp > ago(7d) | where Application in ("Dropbox", "Google Drive", "Box", "WeTransfer", "iCloud", "pCloud") | where ActionType has_any ("upload", "create", "share") | summarize ActivityCount = count(), Actions = make_set(ActionType, 10), Files = make_set(ObjectName, 20) by AccountDisplayName, Application, bin(Timestamp, 1d) | sort by ActivityCount desc ``` {% endcode %} *** ### Email Exfiltration Detection #### Large Attachments to External Recipients ```kusto EmailEvents | where Timestamp > ago(7d) | where EmailDirection == "Outbound" | where RecipientEmailAddress !endswith "yourdomain.com" | join kind=inner ( EmailAttachmentInfo | where Timestamp > ago(7d) | where FileSize > 5000000 // > 5MB ) on NetworkMessageId | summarize EmailCount = count(), TotalAttachmentSizeMB = sum(FileSize) / 1048576.0, Recipients = make_set(RecipientEmailAddress, 20), Attachments = make_set(FileName, 20) by SenderFromAddress, bin(Timestamp, 1d) | where TotalAttachmentSizeMB > 50 | sort by TotalAttachmentSizeMB desc ``` #### Emails to Personal Domains {% code overflow="wrap" %} ```kusto let personalDomains = dynamic(["gmail.com", "yahoo.com", "hotmail.com", "outlook.com", "aol.com", "icloud.com", "protonmail.com", "mail.com"]); EmailEvents | where Timestamp > ago(7d) | where EmailDirection == "Outbound" | extend RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1]) | where RecipientDomain in (personalDomains) | join kind=leftouter EmailAttachmentInfo on NetworkMessageId | summarize EmailCount = count(), WithAttachments = countif(isnotempty(FileName)), TotalSizeMB = sum(FileSize) / 1048576.0, Recipients = make_set(RecipientEmailAddress, 10) by SenderFromAddress | where EmailCount > 10 or WithAttachments > 5 | sort by WithAttachments desc ``` {% endcode %} #### Password-Protected Attachments (DLP Bypass) {% code overflow="wrap" %} ```kusto EmailAttachmentInfo | where Timestamp > ago(7d) | where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".rar" | join kind=inner ( EmailEvents | where Timestamp > ago(7d) | where EmailDirection == "Outbound" | where RecipientEmailAddress !endswith "yourdomain.com" ) on NetworkMessageId | where FileType == "zip" or tostring(ThreatTypes) has "encrypted" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, FileSize | sort by Timestamp desc ``` {% endcode %} *** ### Network Exfiltration Detection #### Large Outbound Transfers {% code overflow="wrap" %} ```kusto DeviceNetworkEvents | where Timestamp > ago(24h) | where ActionType == "ConnectionSuccess" | where RemoteIPType == "Public" | where LocalIP startswith "10." or LocalIP startswith "192.168." or LocalIP startswith "172." | summarize TotalBytesSent = sum(SentBytes), TotalBytesReceived = sum(ReceivedBytes), ConnectionCount = count(), UniqueDestinations = dcount(RemoteIP), TopDestinations = make_set(RemoteIP, 10) by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h) | extend SentMB = TotalBytesSent / 1048576.0 | where SentMB > 100 | sort by SentMB desc ``` {% endcode %} #### Transfers to File Sharing Sites ```kusto let fileSharingSites = dynamic([ "dropbox.com", "drive.google.com", "wetransfer.com", "sendspace.com", "mediafire.com", "mega.nz", "box.com", "pcloud.com", "sync.com", "file.io", "gofile.io", "anonfiles.com", "transfer.sh" ]); DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType == "ConnectionSuccess" | where RemoteUrl has_any (fileSharingSites) | summarize Connections = count(), TotalBytesSent = sum(SentBytes), Sites = make_set(RemoteUrl, 10) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName | extend SentMB = TotalBytesSent / 1048576.0 | where SentMB > 10 | sort by SentMB desc ``` #### DNS Tunnelling Detection ```kusto DeviceNetworkEvents | where Timestamp > ago(24h) | where ActionType == "DnsQueryResponse" | extend QueryLength = strlen(RemoteUrl) | extend Labels = countof(RemoteUrl, ".") | where QueryLength > 50 or Labels > 5 | summarize QueryCount = count(), AvgQueryLength = avg(QueryLength), MaxQueryLength = max(QueryLength), UniqueDomains = dcount(RemoteUrl) by DeviceName, InitiatingProcessFileName, bin(Timestamp, 1h) | where QueryCount > 100 or AvgQueryLength > 50 | sort by QueryCount desc ``` #### After-Hours Large Transfers ```kusto DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType == "ConnectionSuccess" | where RemoteIPType == "Public" | extend Hour = hourofday(Timestamp) | extend DayOfWeek = dayofweek(Timestamp) | where Hour < 6 or Hour > 22 or DayOfWeek in (0d, 6d) | summarize TotalBytesSent = sum(SentBytes), Connections = count(), Destinations = make_set(RemoteIP, 10) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName | extend SentMB = TotalBytesSent / 1048576.0 | where SentMB > 50 | sort by SentMB desc ``` *** ### Staging & Preparation Detection #### Data Staging Directory Detection {% code overflow="wrap" %} ```kusto DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated", "FileModified", "FileCopied") | where FolderPath has_any ("\\temp\\", "\\tmp\\", "\\staging\\", "\\export\\", "\\backup\\", "\\extract\\") or FolderPath matches regex @"C:\\Users\\[^\\]+\\Desktop\\[^\\]+" | summarize FileCount = count(), TotalSizeMB = sum(FileSize) / 1048576.0, FileTypes = make_set(tostring(split(FileName, ".")[-1]), 10), UniqueFiles = dcount(FileName) by DeviceName, InitiatingProcessAccountName, FolderPath | where FileCount > 50 or TotalSizeMB > 100 | sort by TotalSizeMB desc ``` {% endcode %} #### Compression Tool Usage {% code overflow="wrap" %} ```kusto DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("7z.exe", "7za.exe", "winrar.exe", "rar.exe", "winzip.exe", "zip.exe", "tar.exe") or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Compress-Archive", "ZipFile", "[System.IO.Compression")) | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine | sort by Timestamp desc ``` {% endcode %} #### Database Export Tools {% code overflow="wrap" %} ```kusto DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("sqlcmd.exe", "bcp.exe", "mysqldump.exe", "pg_dump.exe", "mongodump.exe", "exp.exe") or ProcessCommandLine has_any ("SELECT * FROM", "BULK INSERT", "INTO OUTFILE", "COPY TO") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine | sort by Timestamp desc ``` {% endcode %} *** ### DLP & Purview Alerts #### DLP Policy Matches ```kusto // If using Microsoft Purview DLP // This query structure depends on your DLP log ingestion DlpAll | where Timestamp > ago(7d) | where PolicyName != "" | summarize MatchCount = count(), Policies = make_set(PolicyName, 10), Locations = make_set(Location, 10) by User, bin(Timestamp, 1d) | where MatchCount > 5 | sort by MatchCount desc ``` #### Insider Risk Alerts {% code overflow="wrap" %} ```kusto // If using Microsoft Purview Insider Risk Management SecurityAlert | where TimeGenerated > ago(7d) | where ProviderName == "Insider Risk Management" | project TimeGenerated, AlertName, Description, UserPrincipalName = tostring(Entities[0].Name), Severity | sort by TimeGenerated desc ``` {% endcode %} *** ### User Behaviour Analysis #### User Data Access Baseline Comparison {% code overflow="wrap" %} ```kusto // Establish baseline let baseline = CloudAppEvents | where Timestamp between (ago(30d) .. ago(7d)) | where ActionType in ("FileDownloaded", "FileUploaded", "FileShared") | summarize BaselineAvgDaily = count() / 23.0 // 23 days of data by AccountDisplayName; // Compare recent activity CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("FileDownloaded", "FileUploaded", "FileShared") | summarize RecentAvgDaily = count() / 7.0 by AccountDisplayName | join kind=inner baseline on AccountDisplayName | extend Deviation = (RecentAvgDaily - BaselineAvgDaily) / BaselineAvgDaily * 100 | where Deviation > 200 // More than 200% increase | project AccountDisplayName, BaselineAvgDaily, RecentAvgDaily, DeviationPercent = round(Deviation, 2) | sort by DeviationPercent desc ``` {% endcode %} #### Departing Employee Monitoring {% code overflow="wrap" %} ```kusto // Assuming you have a list of departing employees let departingUsers = dynamic(["user1@domain.com", "user2@domain.com"]); union (CloudAppEvents | where Timestamp > ago(7d) | where AccountDisplayName in (departingUsers) | where ActionType in ("FileDownloaded", "FileUploaded", "FileShared", "FileCopied") | project Timestamp, User = AccountDisplayName, Activity = ActionType, Details = tostring(ObjectName), Source = "CloudApp"), (DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName in (departingUsers) | where ActionType in ("FileCreated", "FileCopied", "FileModified") | project Timestamp, User = InitiatingProcessAccountName, Activity = ActionType, Details = FileName, Source = "Endpoint"), (EmailEvents | where Timestamp > ago(7d) | where SenderFromAddress in (departingUsers) | where EmailDirection == "Outbound" | project Timestamp, User = SenderFromAddress, Activity = "EmailSent", Details = Subject, Source = "Email") | sort by Timestamp desc ``` {% endcode %} *** ### Print Activity Detection #### Mass Printing Detection ```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "PrintJobEvent" | extend DocumentName = tostring(parse_json(AdditionalFields).DocumentName) | extend PrinterName = tostring(parse_json(AdditionalFields).PrinterName) | extend PageCount = toint(parse_json(AdditionalFields).PageCount) | summarize PrintJobs = count(), TotalPages = sum(PageCount), UniqueDocuments = dcount(DocumentName), Printers = make_set(PrinterName, 5) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1d) | where TotalPages > 100 or UniqueDocuments > 20 | sort by TotalPages desc ``` #### Sensitive Document Printing {% code overflow="wrap" %} ```kusto DeviceEvents | where Timestamp > ago(7d) | where ActionType == "PrintJobEvent" | extend DocumentName = tostring(parse_json(AdditionalFields).DocumentName) | where DocumentName has_any ("confidential", "secret", "restricted", "sensitive", "proprietary", "internal only") | extend PrinterName = tostring(parse_json(AdditionalFields).PrinterName) | project Timestamp, DeviceName, InitiatingProcessAccountName, DocumentName, PrinterName | sort by Timestamp desc ``` {% endcode %} *** ## Response Actions & Remediation ### Immediate Containment Actions | Scenario | Action | Method | | -------------------------------- | ---------------------------------- | ------------------------ | | **Active Exfiltration Detected** | Block network access | Prisma Access / Firewall | | **Insider Threat Confirmed** | Disable account | Entra ID + AD | | **USB Exfiltration** | Block USB ports | MDE device policy | | **Cloud Sharing Active** | Revoke sharing permissions | SharePoint Admin | | **Email Exfiltration** | Block outbound email | Exchange transport rule | | **Compromised Account** | Reset credentials, revoke sessions | Entra ID | | **Malware-Based Exfil** | Isolate endpoint | MDE device isolation | ### Account Containment ```powershell # Disable Entra ID account Update-MgUser -UserId "user@domain.com" -AccountEnabled:$false # Revoke all sessions Revoke-MgUserSignInSession -UserId "user@domain.com" # Block sign-in (Conditional Access) # Create CA policy blocking specific user # Disable on-premises AD account Disable-ADAccount -Identity "username" ``` ### Data Access Revocation {% code overflow="wrap" %} ```powershell # Connect to SharePoint Online Connect-SPOService -Url https://yourtenant-admin.sharepoint.com # Remove all sharing for a specific file/folder # (Requires specific file/site context) # Revoke anonymous links # Via SharePoint Admin Center or PowerShell # Remove external sharing for user's OneDrive Set-SPOSite -Identity "https://yourtenant-my.sharepoint.com/personal/user_domain_com" -SharingCapability Disabled ``` {% endcode %} ### Email Containment {% code overflow="wrap" %} ```powershell # Block user from sending email Set-Mailbox -Identity "user@domain.com" -MessageCopyForSentAsEnabled $false Set-TransportRule -Name "Block User Outbound" -From "user@domain.com" -DeleteMessage $true # Remove forwarding Set-Mailbox -Identity "user@domain.com" -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false # Remove inbox rules Get-InboxRule -Mailbox "user@domain.com" | Remove-InboxRule -Confirm:$false ``` {% endcode %} ### Endpoint Containment ```powershell # Block USB via Intune/MDE # Configure Device Control policies in MDE # Isolate device via MDE # Via Security Center portal or API # Block network access # Via Prisma Access / Firewall rules ``` ### Evidence Preservation #### Critical Evidence to Preserve

Evidence Type	Source	Retention
File access logs	MDE, SharePoint, OneDrive	Export immediately
Network logs	Prisma Access, MDE	Export immediately
Email logs	Exchange, MDO	Export/hold
Sign-in logs	Entra ID	Export immediately
Audit logs	Unified Audit Log	Export immediately
Endpoint forensics	MDE Live Response	Collect if needed
DLP alerts	Purview	Document

#### Evidence Collection Script {% code overflow="wrap" %} ```powershell # Create evidence directory $evidencePath = "C:\IR_Exfil_Evidence_$(Get-Date -Format 'yyyyMMdd_HHmmss')" New-Item -ItemType Directory -Path $evidencePath -Force # Export Unified Audit Log $startDate = (Get-Date).AddDays(-30) $endDate = Get-Date $userId = "suspect@domain.com" Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $userId -ResultSize 5000 | Export-Csv "$evidencePath\UnifiedAuditLog.csv" -NoTypeInformation # Export sign-in logs (via Graph) $signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 1000 $signIns | Export-Csv "$evidencePath\SignInLogs.csv" -NoTypeInformation # Export mailbox audit log Search-MailboxAuditLog -Identity $userId -StartDate $startDate -EndDate $endDate -ShowDetails | Export-Csv "$evidencePath\MailboxAuditLog.csv" -NoTypeInformation # Compress evidence Compress-Archive -Path $evidencePath -DestinationPath "$evidencePath.zip" -Force Write-Host "Evidence collected to: $evidencePath.zip" ``` {% endcode %} *** ## Quick Reference Cards ### Exfiltration Indicator Checklist #### File Activity Red Flags * \[ ] Mass file access (>100 files/hour) * \[ ] Access to files outside normal scope * \[ ] Archive creation (ZIP, RAR, 7z) * \[ ] Large archives (>100MB) * \[ ] File access during off-hours * \[ ] Access spike before leaving * \[ ] Renamed file extensions * \[ ] Access to backup/export folders #### Network Red Flags * \[ ] Large outbound transfers (>100MB) * \[ ] Transfers to file sharing sites * \[ ] Non-standard port usage * \[ ] DNS query anomalies (length, volume) * \[ ] Encrypted traffic to unknown IPs * \[ ] After-hours data transfers * \[ ] Traffic to paste sites * \[ ] C2-like beaconing patterns #### Email Red Flags * \[ ] Large attachments to external * \[ ] Emails to personal accounts * \[ ] Password-protected attachments * \[ ] Bulk external emails * \[ ] Forwarding rules to external * \[ ] Unusual attachment types * \[ ] Emails to competitors #### Cloud Storage Red Flags * \[ ] Bulk downloads from SharePoint * \[ ] External sharing of sensitive files * \[ ] Anonymous link creation * \[ ] Sync to unmanaged devices * \[ ] Personal cloud app usage * \[ ] Third-party OAuth access * \[ ] Sharing with personal accounts #### Endpoint Red Flags * \[ ] USB device connections * \[ ] Files copied to removable media * \[ ] Mass printing * \[ ] Bluetooth transfers * \[ ] Screen capture tools * \[ ] Clipboard history abuse * \[ ] Screenshot of sensitive data ### Data Classification Quick Reference

Classification	Examples	Handling
Public	Marketing materials, press releases	No restrictions
Internal	General business docs, policies	Internal only
Confidential	Financial reports, contracts	Need-to-know
Restricted	PII, PHI, trade secrets	Strict controls
Top Secret	M&A, strategic plans	Executive only

### Common Exfiltration Tools

Tool	Type	Indicators
rclone	Cloud sync	rclone.exe, config files
WinSCP	SFTP/SCP	winscp.exe, .ini files
FileZilla	FTP	filezilla.exe, sitemanager.xml
MegaSync	Cloud	megasync.exe
Dropbox	Cloud sync	Dropbox.exe
Google Drive	Cloud sync	googledrivesync.exe
curl/wget	HTTP transfer	curl.exe, wget.exe
PowerShell	Various	Invoke-WebRequest, Upload
certutil	Encode/Decode	-encode, -decode flags
bitsadmin	Download	/transfer command

### Regulatory Considerations

Data Type	Regulations	Notification Requirements
PII (US)	State breach laws	Varies by state (typically 30-60 days)
PII (EU)	GDPR	72 hours to authority
PHI	HIPAA	60 days
Financial	GLBA, SOX	Varies
PCI	PCI-DSS	Varies by contract
Government	FISMA, FedRAMP	Immediate to 24 hours

*** ## Escalation Matrix ### Severity Classification

Severity	Criteria	Response Time
🔴 Critical	Active exfiltration of critical data, confirmed insider threat, ransomware exfil before encryption	Immediate - 15 min
🟠 High	Large data transfer detected, sensitive data exposed externally, departing employee with data	30 min - 1 hour
🟡 Medium	DLP policy violations, unusual access patterns, potential data staging	4 hours
🟢 Low	Minor policy violations, blocked exfil attempts, awareness issues	Next business day

### Escalation Triggers | Condition | Escalation Level | | ---------------------------------- | ------------------------------- | | Confirmed exfil of restricted data | DFIR + Legal + CISO | | PII/PHI data exposed | DFIR + Legal + Privacy Officer | | Intellectual property theft | DFIR + Legal + Business Owner | | Active insider threat | DFIR + HR + Legal | | Ransomware exfiltration | DFIR + CISO + Leadership | | Customer data exposed | DFIR + Legal + Customer Success | | >1GB confirmed exfiltrated | Tier 2 SOC + DFIR | | Regulatory data involved | Legal + Compliance + Privacy | ### External Notifications

Scenario	Notify	Timeline
PII breach (US)	State AG offices	Per state law (30-60 days typical)
PII breach (EU)	Data Protection Authority	72 hours
PHI breach	HHS OCR	60 days (or 60 days for <500 individuals)
PCI breach	Card brands, acquirer	Immediately
Government data	Relevant agency	Per contract/regulation
Cyber insurance	Carrier	Per policy (usually 24-72 hours)

*** ## MITRE ATT\&CK Mapping ### Exfiltration (TA0010)

Technique	ID	Description	Detection
Exfiltration Over C2 Channel	T1041	Using existing C2	DeviceNetworkEvents, C2 patterns
Exfiltration Over Alternative Protocol	T1048	DNS, ICMP tunneling	DeviceNetworkEvents, DNS logs
Exfiltration Over Web Service	T1567	Cloud storage upload	CloudAppEvents
Exfiltration Over Web Service: Cloud Storage	T1567.002	Dropbox, Google Drive, etc.	CloudAppEvents, DeviceNetworkEvents
Exfiltration Over Physical Medium	T1052	USB, external drives	DeviceEvents (PnP)
Automated Exfiltration	T1020	Scripted data theft	DeviceProcessEvents
Scheduled Transfer	T1029	Timed exfiltration	DeviceNetworkEvents (time analysis)
Data Transfer Size Limits	T1030	Chunking data	DeviceNetworkEvents (patterns)
Transfer Data to Cloud Account	T1537	To attacker cloud	CloudAppEvents

### Collection (TA0009) - Pre-Exfiltration

Technique	ID	Description	Detection
Archive Collected Data	T1560	ZIP, RAR creation	DeviceFileEvents, DeviceProcessEvents
Archive via Utility	T1560.001	Using compression tools	DeviceProcessEvents
Archive via Library	T1560.002	Programmatic compression	DeviceProcessEvents
Data from Local System	T1005	Local file collection	DeviceFileEvents
Data from Network Shared Drive	T1039	Shared drive access	DeviceFileEvents, Event 5140
Data from Cloud Storage	T1530	Cloud data collection	CloudAppEvents
Data Staged: Local Staging	T1074.001	Staging before exfil	DeviceFileEvents
Data Staged: Remote Staging	T1074.002	Remote staging	DeviceFileEvents
Email Collection	T1114	Collecting email data	OfficeActivity
Screen Capture	T1113	Screenshots	DeviceProcessEvents
Clipboard Data	T1115	Clipboard content	DeviceEvents

### Related Techniques

Tactic	Technique	ID	Relevance
Defense Evasion	Obfuscated Files	T1027	Encrypting before exfil
Defense Evasion	Indicator Removal	T1070	Deleting evidence
Impact	Data Encrypted for Impact	T1486	Ransomware with exfil

*** ## Appendix: Investigation Commands ### File Access Analysis {% code overflow="wrap" %} ```powershell # Get recent file access by user (requires auditing enabled) Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4663 } -MaxEvents 1000 | ForEach-Object { [PSCustomObject]@{ Time = $_.TimeCreated User = $_.Properties[1].Value Object = $_.Properties[6].Value AccessMask = $_.Properties[8].Value Process = $_.Properties[11].Value } } | Where-Object {$_.User -eq "DOMAIN\username"} # Find large files created recently Get-ChildItem -Path C:\Users -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 100MB -and $_.CreationTime -gt (Get-Date).AddDays(-7)} | Select-Object FullName, @{N='SizeMB';E={$_.Length/1MB}}, CreationTime | Sort-Object SizeMB -Descending # Find archive files Get-ChildItem -Path C:\Users -Recurse -Include *.zip,*.rar,*.7z -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)} | Select-Object FullName, @{N='SizeMB';E={[math]::Round($_.Length/1MB,2)}}, CreationTime ``` {% endcode %} ### Network Transfer Analysis {% code overflow="wrap" %} ```powershell # Get network connections with high data transfer Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'} | ForEach-Object { $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue [PSCustomObject]@{ LocalAddress = $_.LocalAddress LocalPort = $_.LocalPort RemoteAddress = $_.RemoteAddress RemotePort = $_.RemotePort ProcessName = $proc.Name ProcessPath = $proc.Path } } | Where-Object {$_.RemoteAddress -notmatch "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"} # Check DNS client cache for suspicious domains Get-DnsClientCache | Where-Object {$_.Entry -notmatch "\.(microsoft|windows|office|azure)\.com$"} | Select-Object Entry, Data, TimeToLive ``` {% endcode %} ### Cloud Activity Analysis ```powershell # Using Microsoft Graph to get sign-in activity Connect-MgGraph -Scopes "AuditLog.Read.All" $userId = "user@domain.com" $signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 100 $signIns | Select-Object CreatedDateTime, AppDisplayName, IpAddress, @{N='Location';E={"$($_.Location.City), $($_.Location.CountryOrRegion)"}}, @{N='Device';E={$_.DeviceDetail.DisplayName}}, Status # Get user's OAuth app consents $user = Get-MgUser -UserId $userId Get-MgUserOauth2PermissionGrant -UserId $user.Id | ForEach-Object { $app = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId [PSCustomObject]@{ AppName = $app.DisplayName Scopes = $_.Scope ConsentType = $_.ConsentType } } ``` ### Email Analysis ```powershell # Connect to Exchange Online Connect-ExchangeOnline # Get outbound emails with attachments $startDate = (Get-Date).AddDays(-7) $endDate = Get-Date $sender = "user@domain.com" Get-MessageTrace -SenderAddress $sender -StartDate $startDate -EndDate $endDate | Where-Object {$_.ToIP -ne $null} | Select-Object Received, Subject, RecipientAddress, Size, Status # Check for forwarding rules Get-InboxRule -Mailbox "user@domain.com" | Where-Object {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo} | Select-Object Name, ForwardTo, ForwardAsAttachmentTo, RedirectTo, Enabled # Check mailbox forwarding Get-Mailbox -Identity "user@domain.com" | Select-Object ForwardingSmtpAddress, ForwardingAddress, DeliverToMailboxAndForward ``` ### USB/Removable Media Analysis {% code overflow="wrap" %} ```powershell # Get USB device history from registry Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" | Select-Object FriendlyName, ContainerID, @{N='LastConnected';E={ $_.PSPath -match 'USBSTOR\\(.+)\\(.+)$' $deviceId = $Matches[2] $lastWrite = (Get-Item "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$($Matches[1])\$deviceId").LastWriteTime $lastWrite }} # Get recent removable drive events from event log Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' ID = 2003, 2100, 2101 } -MaxEvents 50 -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message ``` {% endcode %} ### Comprehensive User Activity Export {% code overflow="wrap" %} ```powershell # Comprehensive user activity collection for investigation $userId = "suspect@domain.com" $outputPath = "C:\Investigation_$($userId.Replace('@','_').Replace('.','_'))_$(Get-Date -Format 'yyyyMMdd')" New-Item -ItemType Directory -Path $outputPath -Force # Export Unified Audit Log $startDate = (Get-Date).AddDays(-30) $endDate = Get-Date Write-Host "Exporting Unified Audit Log..." $auditLogs = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $userId -ResultSize 5000 $auditLogs | Export-Csv "$outputPath\UnifiedAuditLog.csv" -NoTypeInformation Write-Host "Exporting Sign-In Logs..." Connect-MgGraph -Scopes "AuditLog.Read.All" -NoWelcome $signIns = Get-MgAuditLogSignIn -Filter "userPrincipalName eq '$userId'" -Top 1000 $signIns | Export-Csv "$outputPath\SignInLogs.csv" -NoTypeInformation Write-Host "Exporting Email Activity..." Connect-ExchangeOnline -ShowBanner:$false $messages = Get-MessageTrace -SenderAddress $userId -StartDate $startDate -EndDate $endDate $messages | Export-Csv "$outputPath\SentEmails.csv" -NoTypeInformation $received = Get-MessageTrace -RecipientAddress $userId -StartDate $startDate -EndDate $endDate $received | Export-Csv "$outputPath\ReceivedEmails.csv" -NoTypeInformation Write-Host "Exporting Inbox Rules..." $rules = Get-InboxRule -Mailbox $userId $rules | Export-Csv "$outputPath\InboxRules.csv" -NoTypeInformation Write-Host "Exporting Mailbox Configuration..." $mailbox = Get-Mailbox -Identity $userId $mailbox | Select-Object * | Export-Csv "$outputPath\MailboxConfig.csv" -NoTypeInformation Write-Host "Creating summary..." $summary = @" Investigation Summary ===================== User: $userId Export Date: $(Get-Date) Date Range: $startDate to $endDate Files Exported: - UnifiedAuditLog.csv: $($auditLogs.Count) records - SignInLogs.csv: $($signIns.Count) records - SentEmails.csv: $($messages.Count) records - ReceivedEmails.csv: $($received.Count) records - InboxRules.csv: $($rules.Count) records - MailboxConfig.csv: Mailbox configuration Notes: - Review for unusual activity patterns - Check sign-in locations and devices - Review email recipients and attachments - Check inbox rules for forwarding "@ $summary | Out-File "$outputPath\Summary.txt" Write-Host "Compressing evidence..." Compress-Archive -Path $outputPath -DestinationPath "$outputPath.zip" -Force Write-Host "Evidence collection complete: $outputPath.zip" ``` {% endcode %} *** ## Prevention & Hardening ### DLP Policy Recommendations | Policy | Scope | Action | | ------------------------ | ---------------------------- | -------------------------------- | | **Credit Card Numbers** | Email, SharePoint, Endpoints | Block external sharing, notify | | **SSN/National ID** | All locations | Block external, alert SOC | | **Health Records (PHI)** | All locations | Block external, encrypt | | **Source Code** | Endpoints, Cloud | Block USB, alert on cloud upload | | **Financial Reports** | SharePoint, Email | Block external sharing | | **Customer PII** | All locations | Block external, log all access | ### Endpoint Controls | Control | Purpose | Implementation | | ------------------------ | ----------------------------- | ---------------------- | | **USB Blocking** | Prevent removable media exfil | MDE Device Control | | **Cloud App Control** | Block unsanctioned apps | MDCA + Prisma Access | | **Print Restrictions** | Prevent print exfil | GPO / Intune | | **Clipboard Control** | Prevent copy/paste | Application Guard | | **Screen Capture Block** | Prevent screenshots | Information Protection | ### Network Controls | Control | Purpose | Implementation | | ------------------------ | --------------------------------- | ------------------ | | **Egress Filtering** | Block unauthorized transfers | Prisma Access | | **Category Blocking** | Block file sharing sites | URL Filtering | | **Data Transfer Limits** | Alert on large uploads | Network monitoring | | **DNS Monitoring** | Detect tunneling | DNS security | | **SSL Inspection** | Visibility into encrypted traffic | Prisma Access | *** > 🔒 **Critical Reminder:** Data exfiltration investigations often have legal, HR, and regulatory implications. Always coordinate with Legal and HR before taking action on insider threat cases. Preserve evidence meticulously with documented chain of custody. Be aware of privacy regulations that may affect investigation methods in different jurisdictions. Time is critical—once data leaves the organization, recovery may be impossible.