Data exfiltration to unsanctioned apps

2024-11-07 01:45:21 +00:00 · 2021-08-23 17:33:00 +00:00 · 2021-08-23 17:33:00 +00:00 · 7d211f2487
commit 7d211f2487
parent f5286905ff
1 changed files with 24 additions and 0 deletions
--- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml
+++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - Data exfiltration to unsanctioned apps
+id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Data exfiltration to unsanctioned apps"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1537