Microsoft OneDrive
Communication and Collaboration
Microsoft OneDrive - Cloud storage service for file sharing and collaboration.
Detection Rules for Microsoft OneDrive
These detection rules will target critical security events in Microsoft OneDrive, emphasizing unauthorized access, data exfiltration, and suspicious file activities to ensure the integrity and confidentiality of stored files. The rules are designed to identify potential threats and enhance monitoring for collaboration and file-sharing activities in the cloud environment.
Provider: Microsoft OneDrive
Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Suspicious File Sharing Activity | Exfiltration | T1071.001 - Application Layer Protocol: Web Protocols | High | ||||||
|
|||||||||
Unauthorized File Access | Credential Access | T1078 - Valid Accounts | Critical | ||||||
|
|||||||||
Large File Upload/Download | Exfiltration | T1048 - Exfiltration Over Alternative Protocol | High | ||||||
|
|||||||||
Abnormal File Deletion | Exfiltration | T1567.002 - Exfiltration Over Web Service | Critical | ||||||
|
|||||||||
Syncing from Unrecognized Device | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
Malware in Uploaded Files | Execution | T1203 - Exploitation for Client Execution | Critical | ||||||
|
|||||||||
Excessive File Downloads | Exfiltration | T1020 - Automated Exfiltration | High | ||||||
|
|||||||||
Suspicious Sharing Link Creation | Exfiltration | T1071.001 - Application Layer Protocol: Web Protocols | Medium | ||||||
|
|||||||||
Unusual Access from New Locations | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
Large Number of Permission Changes | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
File Encryption Events | Impact | T1486 - Data Encrypted for Impact | Critical | ||||||
|
|||||||||
Privilege Escalation in OneDrive | Privilege Escalation | T1078.004 - Privileged Account | Critical | ||||||
|
|||||||||
Public Link Sharing of Sensitive Data | Exfiltration | T1567.002 - Exfiltration Over Web Service | Critical | ||||||
|
APIs and Their Scopes
Detections Name | API Required | Scope Required | Usage |
---|---|---|---|
Suspicious File Sharing Activity | Microsoft Graph API | Files.Read.All, AuditLog.Read.All, Directory.Read.All | Monitor shared file logs and file permissions changes |
Unauthorized File Access | Microsoft Graph API | AuditLog.Read.All, Directory.Read.All, Files.Read.All | Access logs for file reads and edits by unauthorized users |
Large File Upload/Download | Microsoft Graph API | Files.Read.All, AuditLog.Read.All | Track large file uploads/downloads within OneDrive |
Abnormal File Deletion | Microsoft Graph API | AuditLog.Read.All, Files.ReadWrite.All, Directory.Read.All | Detect and audit mass deletion events and recover files |
External Sharing of Confidential Files | Microsoft Graph API | Files.ReadWrite.All, AuditLog.Read.All, Directory.Read.Allorts.audit.readonly | Monitor external sharing of confidential or sensitive files |
Syncing from Unrecognized Device | Microsoft Graph API | AuditLog.Read.All, DeviceManagementManagedDevices.Read.All | Check device login history and match with authorized devices |
Malware in Uploaded Files | VirusTotal API / Microsoft Graph API | VirusTotal API Key, Files.ReadWrite.All | Scan files for malware using VirusTotal and monitor uploads |
Excessive File Downloads | Microsoft Graph API | Files.Read.All, AuditLog.Read.All | Track user activity for high-volume downloads |
Suspicious Sharing Link Creation | Microsoft Graph API | Files.ReadWrite.All, AuditLog.Read.All | Monitor the creation of sharing links, especially public ones |
Unusual Access from New Locations | Microsoft Graph API | AuditLog.Read.All, User.Read.All, Directory.Read.All | Track logins from unusual geographical locations |
Large Number of Permission Changes | Microsoft Graph API | Directory.ReadWrite.All, AuditLog.Read.All | Audit permission changes at scale and detect privilege escalation |
File Encryption Events | Microsoft Graph API | AuditLog.Read.All, Files.ReadWrite.All, Directory.Read.All | Detect suspicious file encryption activities |
Privilege Escalation in OneDrive | Microsoft Graph API | Directory.ReadWrite.All, AuditLog.Read.All, User.ReadWrite.All | Audit changes in admin-level accounts and privilege escalation |
Public Link Sharing of Sensitive Data | Microsoft Graph API | Files.ReadWrite.All, AuditLog.Read.All, Directory.Read.All | Monitor sharing of sensitive data via public links |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
User Access and Activity Report | Geo-map: Login Attempts by Location | Provides an overview of user login patterns, highlighting unusual or unauthorized access attempts. |
Bar Chart: Failed Login Attempts Line Graph: Successful Logins by Time |
||
Email Exfiltration Report | Pie Chart: Sensitive Data Exfiltration Attempts | Monitors emails sent with attached files, especially focusing on sensitive data sent to external domains. |
List/Table: Files Attached to External Emails Heatmap: Suspicious External Email Recipients |
||
Phishing Attempt Report | Bar Graph: Blocked Phishing Emails | Tracks phishing attempts targeting the organization, highlighting blocked and user-reported phishing emails. |
List/Table: Reported Phishing Emails Line Graph: Phishing Indicators Over Time |
||
Malware Detection in Attachments | Bar Chart: Malware Attachments Detected | Provides insight into malware detected in email attachments, helping to mitigate the spread of malicious files. |
Table/List: Files Quarantined Pie Chart: Top Threat Attachments |
||
Suspicious Email Forwarding Report | Table: Auto-Forwarding Rules | Detects unauthorized email forwarding rules and patterns that might indicate data exfiltration or misuse. |
Bar Chart: Emails Forwarded to External Domains Line Graph: Unusual Forwarding Patterns |
||
Compromised Account Report | Line Graph: Unusual Email Activity | Highlights accounts exhibiting unusual activity, potentially compromised by threat actors. |
Heatmap: Login Activity from Unrecognized IPs Table/List: Accounts Flagged for Potential Compromise |
||
Data Loss Prevention (DLP) Report | Table/List: DLP Policy Violations | Ensures compliance with DLP policies by tracking sensitive data in emails and attachments. |
Bar Chart: Emails Containing Sensitive Information Pie Chart: Users with Most DLP Violations |
||
Outlook Usage Report | Bar Chart: Top Senders by Email Volume | Provides operational insights, tracking high-volume email senders and usage patterns of Outlook features. |
Line Graph: Email Volume Over Time Pie Chart: Outlook Feature Usage |