OneDrive Malware File Upload
editOneDrive Malware File Upload
editIdentifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.
Rule type: query
Rule indices:
- filebeat-*
- logs-o365*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Microsoft 365
- Continuous Monitoring
- SecOps
- Lateral Movement
Version: 3 (version history)
Added (Elastic Stack release): 8.1.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editBenign files can trigger signatures in the built-in virus protection
Investigation guide
editRule query
editevent.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Taint Shared Content
- ID: T1080
- Reference URL: https://attack.mitre.org/techniques/T1080/
Rule version history
edit- Version 3 (8.4.0 release)
-
- Formatting only