Filewall - Blocked files

Back


Id	86e7f6fd-5c29-4a3a-bced-3eca3fb0c621
Rulename	Filewall - Blocked files
Description	Identifies files blocked by Filewall for Microsoft 365 (SharePoint/OneDrive/Teams).
Severity	High
Tactics	Exfiltration
Techniques	T1048
Required data connectors	FilewallM365
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml
Version	1.0.0
Arm template	86e7f6fd-5c29-4a3a-bced-3eca3fb0c621.json

KQL

FilewallM365FileEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'FileBlocked'

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: TargetFileName
  - identifier: Directory
    columnName: TargetFilePath
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
  - FilewallFile_CL
  connectorId: FilewallM365
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT1H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 86e7f6fd-5c29-4a3a-bced-3eca3fb0c621
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
query: |
  FilewallM365FileEvent()
  | where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
  | where EventType == 'FileBlocked'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.0
name: Filewall - Blocked files
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1048
description: Identifies files blocked by Filewall for Microsoft 365 (SharePoint/OneDrive/Teams).
triggerOperator: gt

ARM