if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.

t1486
o365
elastic

Techniques

T1486

Sample rules

M365 Security Compliance Potential Ransomware Activity

source: elastic
technicques:
- T1486

Description

Identifies when Microsoft Cloud App Security flags potential ransomware activity in Microsoft 365. This rule detects events where the Security Compliance Center reports a “Ransomware activity” or “Potential ransomware activity” alert, which may indicate file encryption, mass file modifications, or uploads of ransomware-infected files to cloud services such as SharePoint or OneDrive.

Detection logic

event.dataset:o365.audit and
    event.provider:SecurityComplianceCenter and
    event.category:web and
    rule.name:("Ransomware activity" or "Potential ransomware activity") and
    event.outcome:success