List Microsoft Teams Sending Or Receiving More Than 50GB In The Last 10 Minutes As Detected By Zscaler v1.1
Description
This KQL query identifies Microsoft Teams traffic from Zscaler that exceeds 50Gb of data in the last 10 minutes. Version 1.1 compensates for the Zscaler ingestion delay of two (2) minutes.
Query
Microsoft Sentinel
Kusto
let ingestion_delay = 2min;
let rule_look_back = 10min;
let size_threshold = 53687091200; //50GB
CommonSecurityLog
| where DeviceVendor == "Zscaler"
| where DestinationHostName == "statics.teams.cdn.office.net"
| where TimeGenerated >= ago(ingestion_delay + rule_look_back)
| where ingestion_time() > ago(rule_look_back)
| summarize sum(SentBytes), sum(ReceivedBytes) by bin(TimeGenerated,10m), DeviceVendor, DestinationHostName
| where sum_SentBytes > size_threshold or sum_ReceivedBytes > size_threshold
| project DeviceVendor, DestinationHostName, SentTotal=format_bytes(sum_SentBytes, 5, "GB"), ReceivedTotal=format_bytes(sum_ReceivedBytes, 5, "GB"), TimeGenerated