Azure high-volume data transfer

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2025-02-14

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	5 Days
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags	Microsoft Graph Activity Logs
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Informational

An Identity performed multiple Microsoft Graph actions, resulting in a high volume of data transfer.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Medium

An Identity performed multiple Microsoft Graph actions, resulting in a high volume of data transfer.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Medium

An Identity performed multiple Microsoft Graph actions, resulting in a high volume of data transfer.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Exfiltration Over Alternative Protocol (T1048)
Severity	Low

An Identity performed multiple Microsoft Graph actions, resulting in a high volume of data transfer.

Exfiltrate data over Microsoft Graph API.

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.