[Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token

[WinterIsCommin]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Its very common to see backup activity in corporate environments, simply filtering on user.name or ip.address is not sufficient, since legitimate backup operations are common and cannot be excluded due to missing fields.

To improve this, I extended the ESQL query to also filter on application.name and o365.audit.ApplicationId.

With these fields included, it becomes easy to safely allow known backup applications such as "Spanning Backup" or "Veeam" while still detecting suspicious activity.

The following query fix worked for me:

from logs-o365.audit-* | where @timestamp > now() - 14d and event.dataset == "o365.audit" and event.provider == "OneDrive" and event.action == "FileDownloaded" and o365.audit.AuthenticationType == "OAuth" and event.outcome == "success" | eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp) | keep Esql.time_window_date_trunc, o365.audit.UserId, file.name, source.ip, o365.audit.ApplicationId, application.name | stats Esql.file_name_count_distinct = count_distinct(file.name), Esql.event_count = count(*) by Esql.time_window_date_trunc, o365.audit.UserId, source.ip, o365.audit.ApplicationId, application.name | where Esql.file_name_count_distinct >= 25

Example Data

No response

[terrancedejesus]

Thanks @WinterIsCommin for the additional insight and context. I've added a PR to add the application, but also some other important context such as session ID, tokens (if available), file directories, extensions and more.