SharePoint Malware File Uploadedit

Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-o365*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Domain: Cloud
  • Data Source: Microsoft 365
  • Tactic: Lateral Movement

Version: 206

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guideedit


The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule queryedit

event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected