Massive file downloads from SaaS service

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-04-21
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Box Audit Log
      OR
    • DropBox
      OR
    • Google Workspace Audit Logs
      OR
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Informational

Description

A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

Attacker's Goals

An attacker may download files from a SaaS service to exfiltrate sensitive data.

Investigative actions

  • Check for signs of account compromise, such as abnormal login activity or unusual behavior.
  • Review the files that were downloaded to determine if they contain sensitive data.
  • Verify if the user account that downloaded the files is authorized to access them.
  • Analyze the file types that were downloaded.
  • Monitor the account for any further suspicious actions.

Variations

Suspicious SaaS service file downloads

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Low

Description

A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics.

Attacker's Goals

An attacker may download files from a SaaS service to exfiltrate sensitive data.

Investigative actions

  • Check for signs of account compromise, such as abnormal login activity or unusual behavior.
  • Review the files that were downloaded to determine if they contain sensitive data.
  • Verify if the user account that downloaded the files is authorized to access them.
  • Analyze the file types that were downloaded.
  • Monitor the account for any further suspicious actions.


Massive file downloads from SaaS service by terminated user

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Low

Description

A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

Attacker's Goals

An attacker may download files from a SaaS service to exfiltrate sensitive data.

Investigative actions

  • Check for signs of account compromise, such as abnormal login activity or unusual behavior.
  • Review the files that were downloaded to determine if they contain sensitive data.
  • Verify if the user account that downloaded the files is authorized to access them.
  • Analyze the file types that were downloaded.
  • Monitor the account for any further suspicious actions.


Massive code file downloads from SaaS service

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Low

Description

A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

Attacker's Goals

An attacker may download files from a SaaS service to exfiltrate sensitive data.

Investigative actions

  • Check for signs of account compromise, such as abnormal login activity or unusual behavior.
  • Review the files that were downloaded to determine if they contain sensitive data.
  • Verify if the user account that downloaded the files is authorized to access them.
  • Analyze the file types that were downloaded.
  • Monitor the account for any further suspicious actions.