Detect Microsoft Teams Large Data Transfer Using KQL

This article covers a Kusto Query Language (KQL) script designed to detect large data transfers involving Microsoft Teams traffic as seen through Zscaler logs. The script filters for Teams-related CDN traffic where the amount of sent or received data surpasses 50 gigabytes within a 10-minute window. This method is valuable for cybersecurity professionals aiming to monitor abnormal or excessive data flows that may impact network performance or indicate potential misuse.

Risk

Large volumes of data being sent or received by Microsoft Teams could signify unusual activity such as unauthorized data exfiltration, inefficient bandwidth usage, or service disruption risks. Monitoring these spikes is critical for early detection of security incidents or performance bottlenecks within enterprise environments relying on cloud-based collaboration tools.

Query

Microsoft Sentinel

let threshold = 50000000000; //50GB
CommonSecurityLog
| where DeviceVendor == "Zscaler"
| where DestinationHostName == "statics.teams.cdn.office.net"
| summarize sum(SentBytes), sum(ReceivedBytes) by bin(TimeGenerated, 10m), DeviceVendor, DestinationHostName
| where sum_SentBytes > threshold or sum_ReceivedBytes > threshold
| project DeviceVendor, DestinationHostName, SentTotal=format_bytes(sum_SentBytes, 5, "GB"), ReceivedTotal=format_bytes(sum_ReceivedBytes,5 , "GB"), TimeGenerated

This KQL query uses Zscaler logs ingested into Microsoft Sentinel to sum the amount of data sent and received by Microsoft Teams CDN endpoints every 10 minutes. It then filters for instances where either the sent or received bytes exceed 50 gigabytes, formatting the results for easier reading.