Microsoft OneDrive

Communication and Collaboration

Microsoft OneDrive - Cloud storage service for file sharing and collaboration.

Detection Rules for Microsoft OneDrive
These detection rules will target critical security events in Microsoft OneDrive, emphasizing unauthorized access, data exfiltration, and suspicious file activities to ensure the integrity and confidentiality of stored files. The rules are designed to identify potential threats and enhance monitoring for collaboration and file-sharing activities in the cloud environment.

Provider: Microsoft OneDrive

Detection Rule MITRE Tactic MITRE Technique Criticality
Suspicious File Sharing Activity Exfiltration T1071.001 - Application Layer Protocol: Web Protocols High
Investigation Actions (APIs) Use Microsoft Graph API to audit shared file logs and permissions
Incident Creation Criteria Incident if sensitive files are shared externally without authorization
Unauthorized File Access Credential Access T1078 - Valid Accounts Critical
Investigation Actions (APIs) Use Microsoft Graph API to monitor file access logs
Incident Creation Criteria Incident if unauthorized user accesses files or modifies sensitive data
Large File Upload/Download Exfiltration T1048 - Exfiltration Over Alternative Protocol High
Investigation Actions (APIs) Monitor file upload/download using Graph API and storage quota limits.
Incident Creation Criteria Incident if large data transfer exceeds predefined thresholds
Abnormal File Deletion Exfiltration T1567.002 - Exfiltration Over Web Service Critical
Investigation Actions (APIs) Query sharing permissions and shared file metadata via Graph API
Incident Creation Criteria Incident if confidential data is shared externally
Syncing from Unrecognized Device Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Use Microsoft Graph API to check device IDs and login history
Incident Creation Criteria Incident if an unrecognized device is used for data syncing
Malware in Uploaded Files Execution T1203 - Exploitation for Client Execution Critical
Investigation Actions (APIs) Integrate VirusTotal API to scan uploaded files for malware
Incident Creation Criteria Incident if malware or suspicious file signatures are detected
Excessive File Downloads Exfiltration T1020 - Automated Exfiltration High
Investigation Actions (APIs) Monitor user activity and download volume using Graph API
Analyze for unexpected token usage.
Incident Creation Criteria Incident if high-volume downloads are detected within a short time frame
Suspicious Sharing Link Creation Exfiltration T1071.001 - Application Layer Protocol: Web Protocols Medium
Investigation Actions (APIs) Review sharing link creation logs using Microsoft Graph API
Incident Creation Criteria Incident if public sharing links are created for sensitive documents
Unusual Access from New Locations Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Use Graph API to track access by geographical location and device
Incident Creation Criteria Incident if unusual login patterns are detected from unfamiliar locations
Large Number of Permission Changes Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Check for unusual permission changes using Microsoft Graph API
Incident Creation Criteria Incident if there are mass permission changes or privilege escalations
File Encryption Events Impact T1486 - Data Encrypted for Impact Critical
Investigation Actions (APIs) Monitor for file encryption activities using audit logs
Incident Creation Criteria Incident if unauthorized encryption or ransomware activity is detected
Privilege Escalation in OneDrive Privilege Escalation T1078.004 - Privileged Account Critical
Investigation Actions (APIs) Use Microsoft Graph API to audit changes to admin-level accounts
Incident Creation Criteria Incident if unauthorized privilege escalation is detected
Public Link Sharing of Sensitive Data Exfiltration T1567.002 - Exfiltration Over Web Service Critical
Investigation Actions (APIs) Monitor link-sharing activities for sensitive files using Graph API
Incident Creation Criteria Incident if sensitive data is shared via public links

APIs and Their Scopes

Detections Name API Required Scope Required Usage
Suspicious File Sharing Activity Microsoft Graph API Files.Read.All, AuditLog.Read.All, Directory.Read.All Monitor shared file logs and file permissions changes
Unauthorized File Access Microsoft Graph API AuditLog.Read.All, Directory.Read.All, Files.Read.All Access logs for file reads and edits by unauthorized users
Large File Upload/Download Microsoft Graph API Files.Read.All, AuditLog.Read.All Track large file uploads/downloads within OneDrive
Abnormal File Deletion Microsoft Graph API AuditLog.Read.All, Files.ReadWrite.All, Directory.Read.All Detect and audit mass deletion events and recover files
External Sharing of Confidential Files Microsoft Graph API Files.ReadWrite.All, AuditLog.Read.All, Directory.Read.Allorts.audit.readonly Monitor external sharing of confidential or sensitive files
Syncing from Unrecognized Device Microsoft Graph API AuditLog.Read.All, DeviceManagementManagedDevices.Read.All Check device login history and match with authorized devices
Malware in Uploaded Files VirusTotal API / Microsoft Graph API VirusTotal API Key, Files.ReadWrite.All Scan files for malware using VirusTotal and monitor uploads
Excessive File Downloads Microsoft Graph API Files.Read.All, AuditLog.Read.All Track user activity for high-volume downloads
Suspicious Sharing Link Creation Microsoft Graph API Files.ReadWrite.All, AuditLog.Read.All Monitor the creation of sharing links, especially public ones
Unusual Access from New Locations Microsoft Graph API AuditLog.Read.All, User.Read.All, Directory.Read.All Track logins from unusual geographical locations
Large Number of Permission Changes Microsoft Graph API Directory.ReadWrite.All, AuditLog.Read.All Audit permission changes at scale and detect privilege escalation
File Encryption Events Microsoft Graph API AuditLog.Read.All, Files.ReadWrite.All, Directory.Read.All Detect suspicious file encryption activities
Privilege Escalation in OneDrive Microsoft Graph API Directory.ReadWrite.All, AuditLog.Read.All, User.ReadWrite.All Audit changes in admin-level accounts and privilege escalation
Public Link Sharing of Sensitive Data Microsoft Graph API Files.ReadWrite.All, AuditLog.Read.All, Directory.Read.All Monitor sharing of sensitive data via public links

Reports and Widgets for CISO

Report Name Widgets Description
User Access and Activity Report Geo-map: Login Attempts by Location Provides an overview of user login patterns, highlighting unusual or unauthorized access attempts.

Bar Chart: Failed Login Attempts

Line Graph: Successful Logins by Time

Email Exfiltration Report Pie Chart: Sensitive Data Exfiltration Attempts Monitors emails sent with attached files, especially focusing on sensitive data sent to external domains.

List/Table: Files Attached to External Emails

Heatmap: Suspicious External Email Recipients

Phishing Attempt Report Bar Graph: Blocked Phishing Emails Tracks phishing attempts targeting the organization, highlighting blocked and user-reported phishing emails.

List/Table: Reported Phishing Emails

Line Graph: Phishing Indicators Over Time

Malware Detection in Attachments Bar Chart: Malware Attachments Detected Provides insight into malware detected in email attachments, helping to mitigate the spread of malicious files.

Table/List: Files Quarantined

Pie Chart: Top Threat Attachments

Suspicious Email Forwarding Report Table: Auto-Forwarding Rules Detects unauthorized email forwarding rules and patterns that might indicate data exfiltration or misuse.

Bar Chart: Emails Forwarded to External Domains

Line Graph: Unusual Forwarding Patterns

Compromised Account Report Line Graph: Unusual Email Activity Highlights accounts exhibiting unusual activity, potentially compromised by threat actors.

Heatmap: Login Activity from Unrecognized IPs

Table/List: Accounts Flagged for Potential Compromise

Data Loss Prevention (DLP) Report Table/List: DLP Policy Violations Ensures compliance with DLP policies by tracking sensitive data in emails and attachments.

Bar Chart: Emails Containing Sensitive Information

Pie Chart: Users with Most DLP Violations

Outlook Usage Report Bar Chart: Top Senders by Email Volume Provides operational insights, tracking high-volume email senders and usage patterns of Outlook features.

Line Graph: Email Volume Over Time

Pie Chart: Outlook Feature Usage