Microsoft 365 Mass download by a single user

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "development"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute."
10false_positives = ["Unknown"]
11from = "now-30m"
12index = ["filebeat-*", "logs-o365*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Microsoft 365 Mass download by a single user"
16note = """## Triage and analysis
17
18> **Disclaimer**:
19> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
20
21### Investigating Microsoft 365 Mass download by a single user
22
23Microsoft 365 provides cloud-based productivity tools, enabling users to access and download data efficiently. However, adversaries can exploit this by performing mass downloads to exfiltrate sensitive information. The detection rule identifies suspicious activity by flagging instances where a user downloads an unusually high volume of data in a short period, indicating potential data exfiltration attempts. This helps security analysts quickly respond to and mitigate potential threats.
24
25### Possible investigation steps
26
27- Review the user's activity logs in Microsoft 365 to confirm the mass download event, focusing on the event.dataset:o365.audit and event.provider:SecurityComplianceCenter fields to ensure the event is accurately captured.
28- Check the user's recent login history and IP addresses to identify any unusual access patterns or locations that could indicate unauthorized access.
29- Analyze the specific files or data downloaded by the user to assess the sensitivity and potential impact of the data exfiltration.
30- Contact the user to verify if the downloads were legitimate and authorized, and gather any additional context or explanations for the activity.
31- Investigate any recent changes to the user's account permissions or roles that might have facilitated the mass download, ensuring that access controls are appropriately configured.
32- Review any related alerts or incidents in the security information and event management (SIEM) system to identify potential correlations or patterns with other suspicious activities.
33
34### False positive analysis
35
36- High-volume legitimate business operations may trigger the rule. Identify and whitelist users or departments known for frequent large data transfers, such as data analysts or IT personnel, to prevent unnecessary alerts.
37- Automated backup or synchronization tools can cause mass downloads. Review and exclude these activities by identifying the specific user accounts or applications involved in regular backup processes.
38- Software updates or deployments might result in mass downloads. Monitor and exclude these events by correlating them with scheduled maintenance windows or deployment activities.
39- Training or onboarding sessions that require downloading large amounts of data can be mistaken for suspicious activity. Coordinate with HR or training departments to anticipate and exclude these events from triggering alerts.
40
41### Response and remediation
42
43- Immediately isolate the affected user account to prevent further data exfiltration. This can be done by disabling the account or changing the password.
44- Review the downloaded files to assess the sensitivity and potential impact of the data exfiltrated. This will help in understanding the scope of the breach.
45- Notify the security team and relevant stakeholders about the incident to ensure coordinated response efforts and compliance with any regulatory requirements.
46- Conduct a thorough investigation to determine if the mass download was authorized or if it indicates a compromised account. This may involve checking for unusual login locations or times.
47- If the account is confirmed to be compromised, perform a full security audit of the affected user's activities and any other potentially impacted systems.
48- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activities.
49- Review and update access controls and data download policies to prevent similar incidents in the future, ensuring that only necessary permissions are granted to users.
50
51## Setup
52
53The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
54"""
55references = [
56    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
57    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
58]
59risk_score = 47
60rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f"
61severity = "medium"
62tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"]
63timestamp_override = "event.ingested"
64type = "query"
65
66query = '''
67event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Mass download by a single user" and event.outcome:success
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74[rule.threat.tactic]
75id = "TA0010"
76name = "Exfiltration"
77reference = "https://attack.mitre.org/tactics/TA0010/"