security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml
T

25 lines
798 B
YAML
Raw Normal View History

fix title
2021-08-20 09:06:16 +02:00
title: Microsoft 365 - Potential Ransomware Activity
Create microsoft365_potential_ransomware_activity.yml
2021-08-19 23:05:05 -05:00
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: experimental
Update microsoft365_potential_ransomware_activity.yml
2021-08-20 01:19:01 -05:00
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Create microsoft365_potential_ransomware_activity.yml
2021-08-19 23:05:05 -05:00
author: austinsonger
date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
refactor: first bigger log source refactoring
2022-03-22 17:58:29 +01:00
service: threat_management
standardization
2021-11-09 07:27:25 +01:00
product: m365
Create microsoft365_potential_ransomware_activity.yml
2021-08-19 23:05:05 -05:00
detection:
selection:
eventSource: SecurityComplianceCenter
Change double quote to quote
2022-01-06 14:02:35 +01:00
eventName: 'Potential ransomware activity'
Create microsoft365_potential_ransomware_activity.yml
2021-08-19 23:05:05 -05:00
status: success
condition: selection
falsepositives:
Update microsoft365_potential_ransomware_activity.yml
2021-08-20 00:33:42 -05:00
- Unknown
Create microsoft365_potential_ransomware_activity.yml
2021-08-19 23:05:05 -05:00
level: medium
tags:
- attack.impact
- attack.t1486
Reference in New Issue Copy Permalink