If you suspect that a user or an attacker downloaded hundreds of files from OneDrive in a short period, you need a method to confirm it. Microsoft Purview provides audit logs that capture every file download event, including the user, file name, timestamp, and client IP address. This article explains how to search Purview for mass download activity, interpret the results, and set up alerts for future incidents.
Key Takeaways: Investigating Mass OneDrive Downloads in Purview
- Microsoft Purview compliance portal > Audit > Search: The primary location to query file download events using the “FileDownloaded” operation.
- Export audit logs to CSV: Allows you to sort by user, date, and file count in Excel or a script for pattern analysis.
- Create an alert policy: Automatically notifies security teams when a single user downloads more than a threshold of files within a time window.
What Triggers a Mass Download Event in OneDrive
When a user downloads multiple files from OneDrive, each file generates a separate audit event with the operation name FileDownloaded. A mass download is defined by an unusually high number of these events from a single user account in a short time span, such as 100 files in 10 minutes. The cause can be legitimate bulk export by a data analyst, but it can also indicate data exfiltration by a compromised account or a malicious insider. Microsoft Purview captures the source IP address, user agent string, and the exact file path for every download, which helps distinguish normal usage from suspicious behavior.
Prerequisites for Accessing Purview Audit Logs
Before you can search audit logs, your organization must have one of the following subscriptions: Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on. Users who perform the search must be assigned the Audit Logs role in the Microsoft Purview compliance portal. Additionally, audit logging must be enabled for your tenant. To verify, go to Microsoft Purview compliance portal > Audit > Audit retention policies and confirm that the status shows Audit log search turned on.
Steps to Search for Mass Downloads in Purview Audit Logs
- Open the Microsoft Purview compliance portal
Sign in to compliance.microsoft.com with an account that has the Audit Logs role. In the left navigation, select Audit under Solutions. - Set the date range and user filter
In the Audit search page, set the Start date and End date to cover the suspected incident window. In the User field, enter the user principal name of the account you want to investigate. Leave the File, folder, or site field blank to capture all activities. - Filter by the FileDownloaded activity
Under Activities, click Show activities for all activities. In the search box, type FileDownloaded. Check the box next to FileDownloaded and then click Apply. This restricts results to only download events. - Run the search
Click Search at the bottom of the page. Purview will display a list of matching audit records. The results show the date, user, IP address, and the name of each downloaded file. To view more details, select any record and click More information in the details pane. - Export the results to CSV
Click Export at the top of the search results page. Choose Export all results. A CSV file will download. Open it in Excel or a text editor to sort and count the number of downloads per user, per hour, or per IP address.
Analyzing the Exported Data for Mass Download Patterns
After exporting the CSV, use the following techniques to identify mass download behavior:
- Count downloads per user: In Excel, use a pivot table with the User field in rows and the count of Item or File name in values. A count exceeding 50 files in a single day warrants further investigation.
- Check for rapid sequential downloads: Sort the CSV by the CreationTime column. If the same user downloaded 20 files within 60 seconds, that pattern suggests bulk download via a script or sync client.
- Review client IP addresses: If the IP address differs from the user’s usual location or comes from an unexpected geographic region, treat it as a red flag. Cross-reference with VPN or proxy logs if available.
- Look for downloads from a single folder: Group by the Item path column. Mass downloads often target a shared project folder or a document library containing sensitive data.
If the Audit Log Shows Suspicious Activity
OneDrive download count exceeds 100 files in one hour
If the exported CSV shows more than 100 download events from one user within 60 minutes, take immediate action. First, contact the user to verify if the downloads were intentional. If the user confirms the activity, check whether they used a third-party tool or the OneDrive sync app. If the user does not recognize the downloads, assume the account is compromised. Reset the user’s password, revoke active sessions, and enable MFA if not already active.
Downloads originated from an unknown IP address
When the IP address in the audit log does not match the organization’s known public IP ranges or the user’s typical location, the account may be accessed by an attacker. Use the IP address to query Microsoft Defender for Cloud Apps or your firewall logs for additional context. Block the IP address at the network level if possible, and require the user to reauthenticate.
Downloads happened outside business hours
Audit records with timestamps between 10 PM and 6 AM local time should be reviewed carefully. Even if the download count is moderate, the time of day alone can indicate automated exfiltration. Enable conditional access policies in Entra ID that restrict OneDrive access based on time and location.
Setting Up an Alert Policy for Future Mass Downloads
To receive automatic notifications when mass downloads occur, create an alert policy in the Microsoft Purview compliance portal:
- Navigate to Alert policies
In the Purview compliance portal, go to Policies > Alert > Alert policies. Click + New alert policy. - Name the policy and select activity
Enter a name such as Mass OneDrive Download Alert. Under Activity, choose FileDownloaded from the list. Leave the user and file fields blank to cover all users. - Set the threshold
Under Trigger alert when, select Number of times the activity occurs. Set the value to 50 and the time window to 30 minutes. This fires an alert when a single user downloads 50 files in half an hour. - Assign recipients and save
Under Send alert to, enter the email addresses of your security team. Click Save to activate the policy.
Manual Audit Log Search vs Alert Policy: Comparison
| Item | Manual Audit Log Search | Alert Policy |
|---|---|---|
| Purpose | Investigate a specific past incident | Detect ongoing or future incidents in real time |
| Setup effort | None, search is available immediately | Requires creating a policy with threshold values |
| Data granularity | Exports every download event with full details | Only provides alert notification and a summary of the trigger |
| Best for | Forensic analysis and compliance reporting | Proactive security monitoring |
Use the manual search when you need a complete record of downloads for legal or compliance purposes. Use the alert policy when your security team needs immediate notification of suspicious bulk downloads.
You can now search Purview audit logs for mass OneDrive downloads, analyze the exported data for suspicious patterns, and create an alert policy to catch future incidents automatically. As a next step, review your conditional access policies in Entra ID to restrict OneDrive access based on device compliance and location. For advanced monitoring, integrate Purview alerts with Microsoft Sentinel using the Purview data connector to automate incident response.