Microsoft 365 Unusual Volume of File Deletion

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Austin Songer"]
11description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security."
12false_positives = ["Users or System Administrator cleaning out folders."]
13from = "now-30m"
14index = ["filebeat-*", "logs-o365*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Microsoft 365 Unusual Volume of File Deletion"
18note = """## Setup
19
20The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
21"""
22references = [
23    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
24    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
25]
26risk_score = 47
27rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745"
28severity = "medium"
29tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1485"
42name = "Data Destruction"
43reference = "https://attack.mitre.org/techniques/T1485/"
44
45
46[rule.threat.tactic]
47id = "TA0040"
48name = "Impact"
49reference = "https://attack.mitre.org/tactics/TA0040/"