Filewall - Blocked files

Back


Id	86e7f6fd-5c29-4a3a-bced-3eca3fb0c621
Rulename	Filewall - Blocked files
Description	Identifies files blocked by Filewall for Microsoft 365 (SharePoint/OneDrive/Teams).
Severity	High
Tactics	Exfiltration
Techniques	T1048
Required data connectors	FilewallM365
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml
Version	1.0.0
Arm template	86e7f6fd-5c29-4a3a-bced-3eca3fb0c621.json

KQL

FilewallM365FileEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'FileBlocked'

YAML

status: Available
query: |
  FilewallM365FileEvent()
  | where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
  | where EventType == 'FileBlocked'  
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml
tactics:
- Exfiltration
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: TargetFileName
  - identifier: Directory
    columnName: TargetFilePath
requiredDataConnectors:
- connectorId: FilewallM365
  dataTypes:
  - FilewallFile_CL
kind: Scheduled
relevantTechniques:
- T1048
description: Identifies files blocked by Filewall for Microsoft 365 (SharePoint/OneDrive/Teams).
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT1H
    enabled: false
  createIncident: true
name: Filewall - Blocked files
version: 1.0.0
id: 86e7f6fd-5c29-4a3a-bced-3eca3fb0c621
severity: High

ARM