From 8280f4e53ab714c49e120c0cdb3954fda147992c Mon Sep 17 00:00:00 2001
From: "byteray-cql-hub-bot[bot]"
 <261226166+byteray-cql-hub-bot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 11:19:04 +0000
Subject: [PATCH] =?UTF-8?q?Add=20query:=20High=20Volume=20SMB=20File=20Cop?=
 =?UTF-8?q?y=20(Data=20Exfiltration=20/=20Ransomware)=20=E2=80=93=20Micros?=
 =?UTF-8?q?oft=20Defender=20for=20Identity?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...omware_microsoft_defender_for_identity.yml | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 queries/high_volume_smb_file_copy_data_exfiltration_ransomware_microsoft_defender_for_identity.yml

diff --git a/queries/high_volume_smb_file_copy_data_exfiltration_ransomware_microsoft_defender_for_identity.yml b/queries/high_volume_smb_file_copy_data_exfiltration_ransomware_microsoft_defender_for_identity.yml
new file mode 100644
index 0000000..05f687b
--- /dev/null
+++ b/queries/high_volume_smb_file_copy_data_exfiltration_ransomware_microsoft_defender_for_identity.yml
@@ -0,0 +1,49 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: High Volume SMB File Copy (Data Exfiltration / Ransomware) – Microsoft Defender for Identity
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1048
+
+# Description of what the query does and its purpose.
+description: |
+  Detects a large volume of file transfers over SMB within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate bulk data exfiltration or ransomware activity, where files are rapidly copied, staged, or encrypted across systems and should be investigated immediately.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Identity
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Identity
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor = "microsoft"
+  | #event.module = "defender-identity"
+  | Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
+  | Vendor.properties.ActionType = "SMB file copy"
+  | groupBy([user.name, source.address], function=[count(as=file_copies),collect(fields=Vendor.properties.DestinationDeviceName),collect(fields=Vendor.properties.DeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
+  | file_copies > 50
+  | time_diff_min := (end_time - start_time) / 60000
+  | time_diff_min <= 10
+  | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
+  | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
+  | drop([start_time, end_time])
+  | sort([file_copies], order=desc)
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Detects a large volume of file transfers over SMB within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate bulk data exfiltration or ransomware activity, where files are rapidly copied, staged, or encrypted across systems and should be investigated immediately.