IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« O365 Email Reported by User as Malware or Phish SharePoint Malware File Upload »

› ›

OneDrive Malware File Upload

edit

OneDrive Malware File Upload

edit

Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.

Rule type: query

Rule indices:

filebeat-*
logs-o365*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide

Tags:

Elastic
Cloud
Microsoft 365
Continuous Monitoring
SecOps
Lateral Movement

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Config

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Taint Shared Content
- ID: T1080
- Reference URL: https://attack.mitre.org/techniques/T1080/

« O365 Email Reported by User as Malware or Phish SharePoint Malware File Upload »