Agent Foskett Academy • Lesson 117 • Incident Response Workflow

Incident Response Workflow: Data Exfiltration in Microsoft Defender XDR.

The investigation began with an unusually large OneDrive upload.

At first, it looked like routine file synchronisation. Then thousands of documents were accessed, several archive files appeared, and outbound traffic to cloud storage increased.

No malware alert had fired. No ransomware note appeared.

Agent Foskett was trying to answer one question: did sensitive company data leave the organisation?

Agent Foskett Academy lesson data exfiltration incident response in Microsoft Defender XDR
Lesson overview

Learn how to investigate suspected data exfiltration by correlating Microsoft Defender XDR endpoint, identity, cloud, file and network telemetry to determine whether sensitive data was accessed, staged or transferred externally.

Review suspicious file access
Identify archive creation and staging
Correlate cloud and network activity
Determine data exposure and response

Why data exfiltration investigations matter

Data exfiltration investigations often begin with weak signals: a large download, an unusual upload, archive creation, external sharing or cloud activity that does not fit the user's normal behaviour.
Exfiltration is about intent and impactA user may legitimately access files, but defenders need to determine whether the volume, timing, destination and business context indicate data theft.
Cloud activity needs contextOneDrive, SharePoint, Teams and browser-based file movement can make exfiltration harder to recognise without correlating identity and endpoint evidence.
The timeline mattersThe strongest investigations connect authentication, file access, staging, compression, upload activity and alerts into a single timeline.

The data exfiltration response workflow

Agent Foskett investigates potential data theft by moving from the initial alert to identity validation, file access review, transfer analysis and containment.
1. Confirm the triggerIdentify the user, device, files, cloud application, alert and timeframe that started the investigation.
2. Review identity activityCheck whether the user signed in from expected locations, known devices and normal authentication patterns.
3. Investigate file accessReview local file events, SharePoint activity, OneDrive downloads, archive creation and sensitive document access.
4. Review cloud and network activityLook for uploads, external sharing, file sync, third-party storage, unusual destinations and large outbound traffic.
5. Determine exposureIdentify what data was accessed, whether it was sensitive, whether it left the organisation and who may be affected.
6. Contain and preserve evidenceSuspend access where required, block sharing, preserve logs, notify stakeholders and support breach response procedures.

Step 1 — Review large file activity

Start by looking for high-volume file creation, modification and archive activity on endpoints.
step-1-review-large-file-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType in~ ("FileCreated", "FileModified", "FileRenamed", "FileCopied")
| summarize FileEventCount = count(),
            FileNames = make_set(FileName, 50),
            Folders = make_set(FolderPath, 30),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by DeviceName,
         InitiatingProcessAccountName
| where FileEventCount > 100
| order by FileEventCount desc

Step 2 — Identify archive creation

Attackers and insiders often compress data before moving it to external locations.
step-2-identify-archive-creation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
let TimeFrame = 7d;
DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where FileName endswith ".zip"
   or FileName endswith ".7z"
   or FileName endswith ".rar"
   or FileName endswith ".tar"
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountName,
          FileName,
          FolderPath,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 3 — Review cloud application activity

Cloud activity can show SharePoint, OneDrive, Exchange or other Microsoft 365 access patterns around the same user and timeframe.
step-3-review-cloud-application-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where ActionType has_any ("download", "upload", "share", "sync", "file")
| project Timestamp,
          AccountDisplayName,
          Application,
          ActionType,
          ObjectName,
          IPAddress,
          DeviceType,
          UserAgent
| order by Timestamp desc

Step 4 — Hunt for external network destinations

Endpoint network telemetry can reveal uploads to cloud storage, file-sharing services or unusual external destinations.
step-4-external-network-destinations.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
let TimeFrame = 7d;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where isnotempty(RemoteUrl) or isnotempty(RemoteIP)
| where RemoteUrl has_any ("dropbox", "mega", "box.com", "drive.google", "wetransfer", "onedrive")
   or RemotePort in (443, 8443)
| summarize ConnectionCount = count(),
            Devices = make_set(DeviceName, 20),
            Processes = make_set(InitiatingProcessFileName, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by RemoteUrl,
         RemoteIP,
         RemotePort
| order by ConnectionCount desc

Step 5 — Correlate identity and data access

Data movement becomes more concerning when it follows risky authentication, unfamiliar locations or compromised account behaviour.
step-5-correlate-identity-data-access.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
let TimeFrame = 7d;
let SuspiciousUsers =
    IdentityLogonEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType has_any ("risk", "suspicious", "unfamiliar", "success")
    | summarize SignInCount = count(),
                Locations = make_set(Location, 20),
                IPAddresses = make_set(IPAddress, 50),
                FirstSignIn = min(Timestamp),
                LastSignIn = max(Timestamp)
          by AccountUpn;
SuspiciousUsers
| join kind=leftouter (
    CloudAppEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType has_any ("download", "upload", "share", "sync", "file")
    | summarize CloudActions = count(),
                Applications = make_set(Application, 20),
                Objects = make_set(ObjectName, 50),
                FirstCloudAction = min(Timestamp),
                LastCloudAction = max(Timestamp)
          by AccountDisplayName
) on $left.AccountUpn == $right.AccountDisplayName
| order by CloudActions desc

Step 6 — Build the exfiltration timeline

A combined timeline helps determine whether data access, archive creation, uploads and alerts were part of the same incident.
step-6-build-exfiltration-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 3d;
let UserToInvestigate = "user@contoso.com";
let IdentityEvents =
    IdentityLogonEvents
    | where Timestamp > ago(TimeFrame)
    | where AccountUpn =~ UserToInvestigate
    | project Timestamp, Source = "IdentityLogonEvents", Entity = AccountUpn, Detail = strcat(ActionType, " from ", IPAddress, " ", tostring(Location));
let CloudEvents =
    CloudAppEvents
    | where Timestamp > ago(TimeFrame)
    | where AccountDisplayName =~ UserToInvestigate
    | project Timestamp, Source = "CloudAppEvents", Entity = AccountDisplayName, Detail = strcat(ActionType, " ", tostring(ObjectName));
union IdentityEvents, CloudEvents
| order by Timestamp asc

Common data exfiltration clues

Data theft is rarely proven by one event. Look for multiple signals that point to staging, access and transfer.
Bulk file accessThe same user accesses or downloads far more files than normal, especially outside business hours.
Archive creationZIP, 7z, RAR or TAR files appear shortly before network uploads or external sharing activity.
External sharingFiles are shared with personal accounts, unknown domains or external collaborators without a clear business reason.
Cloud storage uploadsEndpoint network telemetry shows traffic to file-sharing or cloud storage services shortly after sensitive access.
Unusual device contextThe same user accesses data from a new device, unmanaged endpoint, VPN exit node or unfamiliar location.
User behaviour changesThe activity does not match the user's role, department, working hours or normal file access pattern.

False positives to consider

Defenders should validate business context before treating large data movement as malicious.
Legitimate project workLarge downloads may be expected during migrations, audits, tender responses or project handovers.
OneDrive syncNormal sync activity can generate many file events, especially after a new device setup or profile rebuild.
Backup or migration toolsEnterprise backup, DLP, eDiscovery, archiving or migration tools can create high-volume activity.
Shared team foldersUsers may legitimately access many files when working from shared libraries or Teams channels.
Security testingInternal security, compliance or data discovery tools may enumerate sensitive files by design.
Approved external sharingSome clients, suppliers and partners require external sharing as part of normal business operations.

Investigation checklist

Use this checklist before closing a suspected data exfiltration investigation.
Was sensitive data accessed?Identify file names, locations, labels, departments and business owners for the data involved.
Was the user expected to access it?Compare the file access with the user role, team membership and normal working pattern.
Was the data staged or compressed?Look for archive files, temporary folders, command-line compression and bulk copy behaviour.
Did the data leave the environment?Correlate file access with cloud uploads, external sharing, network traffic and third-party storage destinations.
Is the account compromised?Review risky sign-ins, MFA changes, impossible travel, OAuth consent and suspicious identity alerts.
Has evidence been preserved?Preserve timelines, affected file lists, sign-in data, endpoint evidence and stakeholder decisions.

Related Agent Foskett Academy lessons

These lessons support data exfiltration investigations.
Incident Response Workflow: Insider Threat InvestigationInvestigate unusual user behaviour, privileged access misuse and suspicious internal activity.
Incident Response Workflow: Compromised User AccountDetermine what an attacker did after gaining access to a user account.
Hunting Playbook: Risky Sign-insValidate suspicious authentication activity and identity risk signals.
Hunting Playbook: OAuth AbuseInvestigate persistent access through malicious or suspicious OAuth applications.
Investigating DeviceFileEventsUse endpoint file telemetry to investigate file creation, modification and deletion activity.
Investigating DeviceNetworkEventsReview outbound network connections, remote URLs and suspicious destinations.

Coming next

The Incident Response Workflow series continues with OAuth application compromise.
Lesson 118 — Incident Response Workflow: OAuth Application CompromiseNext, Agent Foskett investigates suspicious application consent, delegated permissions, token abuse and persistent access through OAuth applications.
Why this mattersData exfiltration investigations often reveal the impact of compromise. OAuth investigations help determine whether attackers still have access after passwords and sessions are reset.

Final thought

Data exfiltration investigations are about evidence, impact and containment.
Agent Foskett mindsetDo not stop at proving files were accessed. Determine whether the data was staged, transferred, shared, exposed and whether the activity fits legitimate business context.
Incident Response Workflow SeriesLesson 117 connects identity, endpoint, cloud, file and network telemetry into a repeatable workflow for suspected data theft.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Incident Response Workflow Data Exfiltration in Microsoft Defender XDR

Agent Foskett Academy Lesson 117 teaches defenders how to investigate suspected data exfiltration using Microsoft Defender XDR endpoint, identity, cloud, file and network telemetry.

Learn data exfiltration investigation with KQL and Microsoft Defender XDR

Data exfiltration investigations help Microsoft security analysts identify sensitive data access, large file transfers, archive creation, cloud uploads, external sharing and suspicious user behaviour.

Microsoft Defender XDR data theft investigation tutorial

This lesson explains how to correlate DeviceFileEvents, DeviceNetworkEvents, CloudAppEvents and IdentityLogonEvents to determine whether sensitive data left the organisation.