LoFP / if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.

Techniques

• T1486

Sample rules

M365 Security Compliance Potential Ransomware Activity

• source: elastic
• technicques:
  • T1486

Description

Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.

Detection logic

event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success