Unusual Volume of file deletion by users
Id | e5f8e196-3544-4a8b-96a9-17c1b6a49710 |
Rulename | Unusual Volume of file deletion by users |
Description | This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This applies to SharePoint and OneDrive users. Audit event and Cloud application identifier references. Reference - https://learn.microsoft.com/microsoft-365/compliance/audit-log-activities?view=o365-worldwide Reference - https://learn.microsoft.com/azure/sentinel/entities-reference#cloud-application-identifiers |
Severity | High |
Tactics | Impact |
Techniques | T1485 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Impact/AnomalousVoulmeOfFileDeletion.yaml |
Version | 1.0.1 |
Arm template | e5f8e196-3544-4a8b-96a9-17c1b6a49710.json |
let relevantOperations = pack_array("FileDeleted", "FileRecycled", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "FileVersionsAllMinorsRecycled", "FileVersionRecycled", "FileVersionsAllRecycled");
let relevantAppIds = pack_array(int(20892), int(15600)); // App Ids for SharePoint and OneDrive
let timeWindow = 7d;
let timeNow = now();
//
let riskyUsers= // Look for users with risky sign-ins
SigninLogs
| where CreatedDateTime between ((timeNow - timeWindow) .. (timeNow))
| where isnotempty(UserId) and isnotempty(OriginalRequestId)
| where ResultType == '0'
| where RiskLevelDuringSignIn == 'high'
| project RiskLevelDuringSignIn, UserId, CreatedDateTime, SessionId=OriginalRequestId
;
let hasUsers = isnotempty(toscalar(riskyUsers));
//
let deleteEvents = // look for file deletion activity and scope it to risky users
CloudAppEvents
| where hasUsers
| where TimeGenerated between ((timeNow - timeWindow) .. (timeNow))
| where ApplicationId in (relevantAppIds)
| where isnotempty(AccountObjectId)
| where AccountObjectId in (riskyUsers)
| where ActionType in (relevantOperations)
| extend SessionId= tostring(RawEventData.AppAccessContext.AADSessionId)
| where isnotempty(SessionId)
| project UserId=AccountObjectId, AccountDisplayName, ApplicationId, SessionId, ActionType, TimeGenerated, ReportId
;
//
deleteEvents
| join kind=leftsemi riskyUsers on UserId, SessionId
| summarize Count=count() , (Timestamp, ReportId)=arg_min(TimeGenerated, ReportId) by UserId, AccountDisplayName, ApplicationId, ActionType, Time=bin(TimeGenerated, 5m)
// look for only those scoped users who have generated an increase in file deletion activity.
| summarize TotalCount= countif(Count > 50), (Timestamp, ReportId)=arg_min(Timestamp, ReportId) by UserId, AccountDisplayName, ApplicationId
| where TotalCount >= 3
| project UserId, AccountDisplayName, ApplicationId, TotalCount, ReportId, Timestamp
| extend NTDomain = tostring(split(AccountDisplayName,'\\',0)[0]), Name = tostring(split(AccountDisplayName,'\\',1)[0])
queryPeriod: 1h
version: 1.0.1
tactics:
- Impact
queryFrequency: 1h
id: e5f8e196-3544-4a8b-96a9-17c1b6a49710
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
connectorId: MicrosoftThreatProtection
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Impact/AnomalousVoulmeOfFileDeletion.yaml
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserId
identifier: AadUserId
- entityType: Account
fieldMappings:
- columnName: Name
identifier: Name
- columnName: NTDomain
identifier: NTDomain
- entityType: CloudApplication
fieldMappings:
- columnName: ApplicationId
identifier: AppId
triggerThreshold: 0
relevantTechniques:
- T1485
query: |
let relevantOperations = pack_array("FileDeleted", "FileRecycled", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "FileVersionsAllMinorsRecycled", "FileVersionRecycled", "FileVersionsAllRecycled");
let relevantAppIds = pack_array(int(20892), int(15600)); // App Ids for SharePoint and OneDrive
let timeWindow = 7d;
let timeNow = now();
//
let riskyUsers= // Look for users with risky sign-ins
SigninLogs
| where CreatedDateTime between ((timeNow - timeWindow) .. (timeNow))
| where isnotempty(UserId) and isnotempty(OriginalRequestId)
| where ResultType == '0'
| where RiskLevelDuringSignIn == 'high'
| project RiskLevelDuringSignIn, UserId, CreatedDateTime, SessionId=OriginalRequestId
;
let hasUsers = isnotempty(toscalar(riskyUsers));
//
let deleteEvents = // look for file deletion activity and scope it to risky users
CloudAppEvents
| where hasUsers
| where TimeGenerated between ((timeNow - timeWindow) .. (timeNow))
| where ApplicationId in (relevantAppIds)
| where isnotempty(AccountObjectId)
| where AccountObjectId in (riskyUsers)
| where ActionType in (relevantOperations)
| extend SessionId= tostring(RawEventData.AppAccessContext.AADSessionId)
| where isnotempty(SessionId)
| project UserId=AccountObjectId, AccountDisplayName, ApplicationId, SessionId, ActionType, TimeGenerated, ReportId
;
//
deleteEvents
| join kind=leftsemi riskyUsers on UserId, SessionId
| summarize Count=count() , (Timestamp, ReportId)=arg_min(TimeGenerated, ReportId) by UserId, AccountDisplayName, ApplicationId, ActionType, Time=bin(TimeGenerated, 5m)
// look for only those scoped users who have generated an increase in file deletion activity.
| summarize TotalCount= countif(Count > 50), (Timestamp, ReportId)=arg_min(Timestamp, ReportId) by UserId, AccountDisplayName, ApplicationId
| where TotalCount >= 3
| project UserId, AccountDisplayName, ApplicationId, TotalCount, ReportId, Timestamp
| extend NTDomain = tostring(split(AccountDisplayName,'\\',0)[0]), Name = tostring(split(AccountDisplayName,'\\',1)[0])
kind: Scheduled
name: Unusual Volume of file deletion by users
customDetails:
Count: TotalCount
description: |
This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here.
This applies to SharePoint and OneDrive users.
Audit event and Cloud application identifier references.
Reference - https://learn.microsoft.com/microsoft-365/compliance/audit-log-activities?view=o365-worldwide
Reference - https://learn.microsoft.com/azure/sentinel/entities-reference#cloud-application-identifiers
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e5f8e196-3544-4a8b-96a9-17c1b6a49710')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e5f8e196-3544-4a8b-96a9-17c1b6a49710')]",
"properties": {
"alertRuleTemplateName": "e5f8e196-3544-4a8b-96a9-17c1b6a49710",
"customDetails": {
"Count": "TotalCount"
},
"description": "This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here.\nThis applies to SharePoint and OneDrive users.\nAudit event and Cloud application identifier references.\nReference - https://learn.microsoft.com/microsoft-365/compliance/audit-log-activities?view=o365-worldwide\nReference - https://learn.microsoft.com/azure/sentinel/entities-reference#cloud-application-identifiers\n",
"displayName": "Unusual Volume of file deletion by users",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "ApplicationId",
"identifier": "AppId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Impact/AnomalousVoulmeOfFileDeletion.yaml",
"query": "let relevantOperations = pack_array(\"FileDeleted\", \"FileRecycled\", \"FileDeletedFirstStageRecycleBin\", \"FileDeletedSecondStageRecycleBin\", \"FileVersionsAllMinorsRecycled\", \"FileVersionRecycled\", \"FileVersionsAllRecycled\");\nlet relevantAppIds = pack_array(int(20892), int(15600)); // App Ids for SharePoint and OneDrive\nlet timeWindow = 7d;\nlet timeNow = now();\n//\nlet riskyUsers= // Look for users with risky sign-ins\n SigninLogs \n | where CreatedDateTime between ((timeNow - timeWindow) .. (timeNow))\n | where isnotempty(UserId) and isnotempty(OriginalRequestId)\n | where ResultType == '0'\n | where RiskLevelDuringSignIn == 'high'\n | project RiskLevelDuringSignIn, UserId, CreatedDateTime, SessionId=OriginalRequestId\n ;\nlet hasUsers = isnotempty(toscalar(riskyUsers));\n//\nlet deleteEvents = // look for file deletion activity and scope it to risky users\n CloudAppEvents\n | where hasUsers\n | where TimeGenerated between ((timeNow - timeWindow) .. (timeNow))\n | where ApplicationId in (relevantAppIds)\n | where isnotempty(AccountObjectId)\n | where AccountObjectId in (riskyUsers)\n | where ActionType in (relevantOperations)\n | extend SessionId= tostring(RawEventData.AppAccessContext.AADSessionId)\n | where isnotempty(SessionId)\n | project UserId=AccountObjectId, AccountDisplayName, ApplicationId, SessionId, ActionType, TimeGenerated, ReportId\n ; \n //\ndeleteEvents \n| join kind=leftsemi riskyUsers on UserId, SessionId\n| summarize Count=count() , (Timestamp, ReportId)=arg_min(TimeGenerated, ReportId) by UserId, AccountDisplayName, ApplicationId, ActionType, Time=bin(TimeGenerated, 5m)\n// look for only those scoped users who have generated an increase in file deletion activity.\n| summarize TotalCount= countif(Count > 50), (Timestamp, ReportId)=arg_min(Timestamp, ReportId) by UserId, AccountDisplayName, ApplicationId \n| where TotalCount >= 3\n| project UserId, AccountDisplayName, ApplicationId, TotalCount, ReportId, Timestamp\n| extend NTDomain = tostring(split(AccountDisplayName,'\\\\',0)[0]), Name = tostring(split(AccountDisplayName,'\\\\',1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}