Techniques
Sample rules
M365 OneDrive Excessive File Downloads with OAuth Token
- source: elastic
- technicques:
- T1530
Description
Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.
Detection logic
from logs-o365.audit-*
| where
@timestamp > now() - 14d and
event.dataset == "o365.audit" and
event.provider == "OneDrive" and
event.action == "FileDownloaded" and
o365.audit.AuthenticationType == "OAuth" and
event.outcome == "success"
| eval
Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| keep
Esql.time_window_date_trunc,
o365.audit.UserId,
file.name,
source.ip
| stats
Esql.file_name_count_distinct = count_distinct(file.name),
Esql.event_count = count(*)
by
Esql.time_window_date_trunc,
o365.audit.UserId,
source.ip
| where
Esql.file_name_count_distinct >= 25