Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Sigma rule (View on GitHub)
1title: Data Exfiltration to Unsanctioned Apps
2id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
3status: test
4description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
5references:
6 - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
7 - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
8author: Austin Songer @austinsonger
9date: 2021-08-23
10modified: 2022-10-09
11tags:
12 - attack.exfiltration
13 - attack.t1537
14logsource:
15 service: threat_management
16 product: m365
17detection:
18 selection:
19 eventSource: SecurityComplianceCenter
20 eventName: 'Data exfiltration to unsanctioned apps'
21 status: success
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
Read More -
This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
Read More
Related rules
- AWS EC2 VM Export Failure
- AWS S3 Data Management Tampering
- AWS Snapshot Backup Exfiltration
- Suspicious BlackCat-Related Exfiltration Command
- APT40 Dropbox Tool User Agent