Microsoft 365 Unusual Volume of File Deletion
Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/15"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Austin Songer"]
9description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security."
10false_positives = ["Users or System Administrator cleaning out folders."]
11from = "now-30m"
12index = ["filebeat-*", "logs-o365*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Microsoft 365 Unusual Volume of File Deletion"
16note = """## Setup
17
18The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
19"""
20references = [
21 "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
22 "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
23]
24risk_score = 47
25rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745"
26severity = "medium"
27tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1485"
40name = "Data Destruction"
41reference = "https://attack.mitre.org/techniques/T1485/"
42
43
44[rule.threat.tactic]
45id = "TA0040"
46name = "Impact"
47reference = "https://attack.mitre.org/tactics/TA0040/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
Read More -
This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
Read More
Related rules
- Microsoft 365 Potential ransomware activity
- Google Workspace MFA Enforcement Disabled
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange DLP Policy Removed