Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.
Rule type: query
Risk score: 73
Runs every: 5 minutes
Maximum alerts per execution: 100
- Microsoft 365
- Continuous Monitoring
- Lateral Movement
Added (Elastic Stack release): 8.1.0
Rule authors: Elastic
Rule license: Elastic License v2
Benign files can trigger signatures in the built-in virus protection
## Config The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected