Look for the "Mass download by a single user" policy template.
Use Purview to encrypt sensitive files so that even if they are downloaded, they cannot be opened without authorized credentials.
Set the number of files and the timeframe (e.g., 500 files in 30 minutes). office 365 mass download alert
Don't just look for mass downloads; monitor for "unusual" file sharing to external guests, which often precedes a download event.
Navigate to the Policies section in Defender for Cloud Apps. Look for the "Mass download by a single
Exclude specific service accounts or "Sync" apps if they frequently cause false positives.
Check the "Actor" field in the alert. Is this a high-privilege executive, an IT admin, or a frontline worker? High-risk accounts require immediate isolation. 2. Analyze the Source IP and Location Don't just look for mass downloads; monitor for
Determine if the system should simply alert you or automatically suspend the user’s account. Step-by-Step Incident Response