Microsoft 365 Mass download by a single user
Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/15"
3integration = ["o365"]
4maturity = "development"
5updated_date = "2023/06/22"
6
7[rule]
8author = ["Austin Songer"]
9description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute."
10false_positives = ["Unknown"]
11from = "now-30m"
12index = ["filebeat-*", "logs-o365*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Microsoft 365 Mass download by a single user"
16note = """## Setup
17
18The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
19"""
20references = [
21 "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
22 "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
23]
24risk_score = 47
25rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f"
26severity = "medium"
27tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Mass download by a single user" and event.outcome:success
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38
39[rule.threat.tactic]
40id = "TA0010"
41name = "Exfiltration"
42reference = "https://attack.mitre.org/tactics/TA0010/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.