Techniques
Sample rules
Microsoft 365 Potential ransomware activity
- source: elastic
- technicques:
- T1486
Description
Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.
Detection logic
event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success