[Rule Tuning] M365 Security Compliance Potential Ransomware Activity (#5653)
Fixes #5652
This commit is contained in:
Terrance DeJesus
+28
-22
@@ -2,13 +2,15 @@
|
||||
creation_date = "2021/07/15"
|
||||
integration = ["o365"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/10"
|
||||
updated_date = "2026/01/29"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
description = """
|
||||
Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected
|
||||
with ransomware.
|
||||
Identifies when Microsoft Cloud App Security flags potential ransomware activity in Microsoft 365. This rule detects
|
||||
events where the Security Compliance Center reports a "Ransomware activity" or "Potential ransomware activity" alert,
|
||||
which may indicate file encryption, mass file modifications, or uploads of ransomware-infected files to cloud services
|
||||
such as SharePoint or OneDrive.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
@@ -23,22 +25,18 @@ license = "Elastic License v2"
|
||||
name = "M365 Security Compliance Potential Ransomware Activity"
|
||||
note = """## Triage and analysis
|
||||
|
||||
> **Disclaimer**:
|
||||
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
||||
|
||||
### Investigating M365 Security Compliance Potential Ransomware Activity
|
||||
|
||||
Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Review the event details in the Microsoft Cloud App Security console to confirm the specific files and user involved in the "Potential ransomware activity" alert.
|
||||
- Check the event.dataset field for o365.audit logs to gather additional context about the user's recent activities and any other related events.
|
||||
- Investigate the event.provider field to ensure the alert originated from the SecurityComplianceCenter, confirming the source of the detection.
|
||||
- Analyze the event.category field to verify that the activity is categorized as web, which may indicate the method of file upload.
|
||||
- Assess the user's recent activity history and permissions to determine if the upload was intentional or potentially malicious.
|
||||
- Contact the user to verify the legitimacy of the uploaded files and gather any additional context or explanations for the activity.
|
||||
- If the files are confirmed or suspected to be malicious, initiate a response plan to contain and remediate any potential ransomware threat, including isolating affected systems and notifying relevant stakeholders.
|
||||
- Identify the affected user account and review their recent file activity in Microsoft 365 for signs of mass file encryption, renaming with unusual extensions, or rapid file modifications.
|
||||
- Examine the file names, extensions, and metadata of the flagged uploads to determine if they match known ransomware patterns (e.g., `.encrypted`, `.locked`, or ransom note files like `README.txt` or `DECRYPT_INSTRUCTIONS.html`).
|
||||
- Correlate this alert with other security events from the same user or source IP, such as impossible travel, failed login attempts, or suspicious inbox rules, to identify potential account compromise.
|
||||
- Check whether the affected user's endpoint shows signs of ransomware execution, such as high CPU usage, mass file system changes, or known ransomware process names.
|
||||
- Review SharePoint or OneDrive file version history to determine the scope of encrypted or modified files and whether recovery via version rollback is possible.
|
||||
- Contact the user to verify whether the activity is legitimate or if their account or device may have been compromised.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -46,35 +44,43 @@ Microsoft 365's cloud services can be exploited by adversaries to distribute ran
|
||||
- Automated backup processes that upload encrypted files to the cloud can be misidentified as ransomware activity. Exclude these processes by identifying and whitelisting the associated service accounts or IP addresses.
|
||||
- Certain file types or extensions commonly used in business operations might be flagged. Review and adjust the detection rule to exclude these file types if they are consistently identified as false positives.
|
||||
- Collaborative tools that sync files across devices may cause multiple uploads that appear suspicious. Monitor and exclude these tools by recognizing their typical behavior patterns and adjusting the rule settings accordingly.
|
||||
- Regularly review and update the list of exceptions to ensure that only verified non-threatening activities are excluded, maintaining the balance between security and operational efficiency.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected user account to prevent further uploads and potential spread of ransomware within the cloud environment.
|
||||
- Quarantine the uploaded files flagged as potential ransomware to prevent access and further distribution.
|
||||
- Conduct a thorough scan of the affected user's devices and cloud storage for additional signs of ransomware or other malicious activity.
|
||||
- Notify the security operations team to initiate a deeper investigation into the source and scope of the ransomware activity, leveraging MITRE ATT&CK techniques for guidance.
|
||||
- Notify the security operations team to initiate a deeper investigation into the source and scope of the ransomware activity.
|
||||
- Restore any affected files from secure backups, ensuring that the backups are clean and free from ransomware.
|
||||
- Review and update access controls and permissions for the affected user and related accounts to minimize the risk of future incidents.
|
||||
- Escalate the incident to senior security management and, if necessary, involve legal or compliance teams to assess any regulatory implications.
|
||||
|
||||
## Setup
|
||||
|
||||
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
|
||||
"""
|
||||
references = [
|
||||
"https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
|
||||
"https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
|
||||
"https://www.microsoft.com/en-us/security/blog/threat-intelligence/ransomware/",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29"
|
||||
severity = "medium"
|
||||
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"]
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Domain: SaaS",
|
||||
"Data Source: Microsoft 365",
|
||||
"Data Source: Microsoft 365 Audit Logs",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Impact",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success
|
||||
event.dataset:o365.audit and
|
||||
event.provider:SecurityComplianceCenter and
|
||||
event.category:web and
|
||||
rule.name:("Ransomware activity" or "Potential ransomware activity") and
|
||||
event.outcome:success
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user