From 99fbd4ef44d7ea9d6fabb12cfb4181f6089d9fb2 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Thu, 19 Aug 2021 23:00:23 -0500
Subject: [PATCH] Create microsoft365_unusual_volume_of_file_deletion.yml

---
 ...oft365_unusual_volume_of_file_deletion.yml | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml

diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml
new file mode 100644
index 000000000..82cea96d1
--- /dev/null
+++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml
@@ -0,0 +1,24 @@
+title: Microsoft 365 - Unusual Volume of File Deletion
+id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
+author: austinsonger
+date: 2021/08/19
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: Office365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Unusual volume of file deletion"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.impact
+    - attack.t1485