From f7bc13b437a5f60bee7848c2340a081f41d2eccd Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 27 Jan 2022 16:19:16 -0300 Subject: [PATCH] [New Rule] OneDrive Malware File Upload (#1693) * "OneDrive Malware File Upload" Initial Rule * bump severity --- ...al_movement_malware_uploaded_onedrive.toml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml new file mode 100644 index 000000000..cec974c2f --- /dev/null +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2022/01/10" +integration = "o365" +maturity = "production" +updated_date = "2022/01/10" + +[rule] +author = ["Elastic"] +description = """ +Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers +can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. +Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain +initial access to other endpoints in the environment. +""" +false_positives = ["Benign files can trigger signatures in the built-in virus protection"] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "OneDrive Malware File Upload" +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", +] +risk_score = 73 +rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1" +severity = "high" +tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1080" +name = "Taint Shared Content" +reference = "https://attack.mitre.org/techniques/T1080/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"