Microsoft 365 Potential ransomware activity

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected
11with ransomware.
12"""
13false_positives = [
14    """
15    If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may
16    represent an adverse encryption process.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Potential ransomware activity"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
27"""
28references = [
29    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
30    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
31]
32risk_score = 47
33rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1486"
48name = "Data Encrypted for Impact"
49reference = "https://attack.mitre.org/techniques/T1486/"
50
51
52[rule.threat.tactic]
53id = "TA0040"
54name = "Impact"
55reference = "https://attack.mitre.org/tactics/TA0040/"