legitimate users may download files from onedrive using oauth authentication. ensure that the downloads are authorized and the user is known before taking action.

Techniques

T1530

Sample rules

M365 OneDrive Excessive File Downloads with OAuth Token

source: elastic
technicques:
- T1530

Description

Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.

Detection logic

FROM logs-o365.audit-*
| WHERE @timestamp > now() - 14 day
| WHERE
    event.dataset == "o365.audit" and

    // filter on files downloaded from OneDrive
    event.provider == "OneDrive" and
    event.action == "FileDownloaded" and

    // filter on OAuth authentication which encompasses device code workflow
    o365.audit.AuthenticationType == "OAuth"
    and event.outcome == "success"
// bucket authentication attempts by 1 minute
| EVAL target_time_window = DATE_TRUNC(1 minutes, @timestamp)
| KEEP target_time_window, o365.audit.UserId, file.name, source.ip

// aggregate on unique file names and download attempts
| STATS unique_file_count = count_distinct(file.name), download_attempt_count = count(*) BY target_time_window, o365.audit.UserId, source.ip

// adjustable range for "excessive" unique files that were downloaded
| WHERE unique_file_count >= 25