Detect Microsoft Teams Large Data Transfer Using KQL v1.1
This KQL query detects unusually large Microsoft Teams data transfers by analyzing Zscaler logs for traffic exceeding 50GB within a 10-minute window. It incorporates a fix for ingestion delays—previously encountered in this blog article—by compensating for a two-minute lag in Zscaler data ingestion. This ensures more accurate and timely detection of large data flows, helping cybersecurity teams monitor heavy network usage without missing critical events.
Risk
Large data transfers through Microsoft Teams can be a sign of unauthorized file sharing, potential data leakage, or misuse of collaboration tools. Without addressing ingestion delays, these transfers might go unnoticed, increasing the risk of data exfiltration and compliance violations. Monitoring these events promptly helps mitigate security threats.
Query
Microsoft Sentinel
let ingestion_delay = 2min;
let rule_look_back = 10min;
let size_threshold = 53687091200; //50GB
CommonSecurityLog
| where DeviceVendor == "Zscaler"
| where DestinationHostName == "statics.teams.cdn.office.net"
| where TimeGenerated >= ago(ingestion_delay + rule_look_back)
| where ingestion_time() > ago(rule_look_back)
| summarize sum(SentBytes), sum(ReceivedBytes) by bin(TimeGenerated,10m), DeviceVendor, DestinationHostName
| where sum_SentBytes > size_threshold or sum_ReceivedBytes > size_threshold
| project DeviceVendor, DestinationHostName, SentTotal=format_bytes(sum_SentBytes, 5, "GB"), ReceivedTotal=format_bytes(sum_ReceivedBytes, 5, "GB"), TimeGenerated This query includes a two-minute ingestion delay fix that addresses latency in Zscaler log processing previously noted in the referenced blog article. It reviews the last 10 minutes of Microsoft Teams CDN traffic, sums the data transferred, and flags periods exceeding 50GB to ensure accurate monitoring despite ingestion lag.
Pingback: Troubleshooting Data Ingestion Lag in Microsoft Sentinel from Zscaler Logs