Microsoft 365 Potential ransomware activity

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected
13with ransomware.
14"""
15false_positives = [
16    """
17    If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may
18    represent an adverse encryption process.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Potential ransomware activity"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
29"""
30references = [
31    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
32    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
33]
34risk_score = 47
35rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29"
36severity = "medium"
37tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"]
38timestamp_override = "event.ingested"
39type = "query"
40
41query = '''
42event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1486"
50name = "Data Encrypted for Impact"
51reference = "https://attack.mitre.org/techniques/T1486/"
52
53
54[rule.threat.tactic]
55id = "TA0040"
56name = "Impact"
57reference = "https://attack.mitre.org/tactics/TA0040/"