M365 Security Compliance Potential Ransomware Activity

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2026/01/29"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = """
10Identifies when Microsoft Cloud App Security flags potential ransomware activity in Microsoft 365. This rule detects
11events where the Security Compliance Center reports a "Ransomware activity" or "Potential ransomware activity" alert,
12which may indicate file encryption, mass file modifications, or uploads of ransomware-infected files to cloud services
13such as SharePoint or OneDrive.
14"""
15false_positives = [
16    """
17    If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may
18    represent an adverse encryption process.
19    """,
20]
21from = "now-9m"
22index = ["logs-o365.audit-*", "filebeat-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "M365 Security Compliance Potential Ransomware Activity"
26note = """## Triage and analysis
27
28### Investigating M365 Security Compliance Potential Ransomware Activity
29
30Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics.
31
32### Possible investigation steps
33
34- Identify the affected user account and review their recent file activity in Microsoft 365 for signs of mass file encryption, renaming with unusual extensions, or rapid file modifications.
35- Examine the file names, extensions, and metadata of the flagged uploads to determine if they match known ransomware patterns (e.g., `.encrypted`, `.locked`, or ransom note files like `README.txt` or `DECRYPT_INSTRUCTIONS.html`).
36- Correlate this alert with other security events from the same user or source IP, such as impossible travel, failed login attempts, or suspicious inbox rules, to identify potential account compromise.
37- Check whether the affected user's endpoint shows signs of ransomware execution, such as high CPU usage, mass file system changes, or known ransomware process names.
38- Review SharePoint or OneDrive file version history to determine the scope of encrypted or modified files and whether recovery via version rollback is possible.
39- Contact the user to verify whether the activity is legitimate or if their account or device may have been compromised.
40
41### False positive analysis
42
43- Legitimate file uploads by trusted users may trigger alerts if the files are mistakenly flagged as ransomware. To manage this, create exceptions for specific users or groups who frequently upload large volumes of files.
44- Automated backup processes that upload encrypted files to the cloud can be misidentified as ransomware activity. Exclude these processes by identifying and whitelisting the associated service accounts or IP addresses.
45- Certain file types or extensions commonly used in business operations might be flagged. Review and adjust the detection rule to exclude these file types if they are consistently identified as false positives.
46- Collaborative tools that sync files across devices may cause multiple uploads that appear suspicious. Monitor and exclude these tools by recognizing their typical behavior patterns and adjusting the rule settings accordingly.
47
48### Response and remediation
49
50- Immediately isolate the affected user account to prevent further uploads and potential spread of ransomware within the cloud environment.
51- Quarantine the uploaded files flagged as potential ransomware to prevent access and further distribution.
52- Conduct a thorough scan of the affected user's devices and cloud storage for additional signs of ransomware or other malicious activity.
53- Notify the security operations team to initiate a deeper investigation into the source and scope of the ransomware activity.
54- Restore any affected files from secure backups, ensuring that the backups are clean and free from ransomware.
55- Review and update access controls and permissions for the affected user and related accounts to minimize the risk of future incidents.
56- Escalate the incident to senior security management and, if necessary, involve legal or compliance teams to assess any regulatory implications.
57"""
58references = [
59    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
60    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
61    "https://www.microsoft.com/en-us/security/blog/threat-intelligence/ransomware/",
62]
63risk_score = 47
64rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29"
65severity = "medium"
66tags = [
67    "Domain: Cloud",
68    "Domain: SaaS",
69    "Data Source: Microsoft 365",
70    "Data Source: Microsoft 365 Audit Logs",
71    "Use Case: Threat Detection",
72    "Tactic: Impact",
73    "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:o365.audit and
80    event.provider:SecurityComplianceCenter and
81    event.category:web and
82    rule.name:("Ransomware activity" or "Potential ransomware activity") and
83    event.outcome:success
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1486"
91name = "Data Encrypted for Impact"
92reference = "https://attack.mitre.org/techniques/T1486/"
93
94
95[rule.threat.tactic]
96id = "TA0040"
97name = "Impact"
98reference = "https://attack.mitre.org/tactics/TA0040/"