Data Exfiltration to Unsanctioned Apps

Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.

Sigma rule (View on GitHub)

 1title: Data Exfiltration to Unsanctioned Apps
 2id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
 3status: test
 4description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
 5references:
 6    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
 7    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
 8author: Austin Songer @austinsonger
 9date: 2021-08-23
10modified: 2022-10-09
11tags:
12    - attack.exfiltration
13    - attack.t1537
14logsource:
15    service: threat_management
16    product: m365
17detection:
18    selection:
19        eventSource: SecurityComplianceCenter
20        eventName: 'Data exfiltration to unsanctioned apps'
21        status: success
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top