Query Details

One Drive Sync From Rare IP

Query

let Threshold = 1500; // Change depeding on org needs.
let TimeFrame = 10m;
let EntraUserIPInfo = AADSignInEventsBeta
    // Filter only successful logins
    | where ErrorCode == 0
    | summarize IPEventCount = count() by IPAddress, AccountObjectId
    | where IPEventCount < 500;
CloudAppEvents
| where ActionType == "FileSyncUploadedFull"
| extend BaseFolder = split(parse_url(ObjectName).Path, "/")[3]
| summarize TotalEvents = count(), BaseFolders = make_set(BaseFolder, 25) by bin(TimeGenerated, TimeFrame), AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress
| where TotalEvents >= Threshold
// Filter if the activity happens in combination with a rare IP
| join kind=inner EntraUserIPInfo on $left.AccountId == $right.AccountObjectId
| project TimeGenerated, TotalEvents, BaseFolders,  AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress, IPEventCount

About this query

Explanation

This query is designed to detect potentially suspicious OneDrive synchronization activities from unusual IP addresses. Here's a simplified breakdown:

  1. Purpose: The query aims to identify OneDrive sync activities that occur from IP addresses that are not commonly used by the user. This could indicate unauthorized access or data exfiltration attempts.

  2. Data Sources:

    • CloudAppEvents: This table logs OneDrive sync activities.
    • SignInLogs (or AADSignInEventsBeta): This table logs user sign-in activities, including the IP addresses used.
  3. Process:

    • Threshold Setting: The query looks for sync activities where a large number of files (at least 1500) are uploaded within a 10-minute window. This threshold can be adjusted based on organizational needs.
    • Identify Rare IPs: It identifies IP addresses that have been used for fewer than 500 successful logins by a user. These are considered "rare" IPs.
    • Filter and Join: The query filters for OneDrive sync activities that meet the threshold and occur from these rare IPs. It then joins this data with the sign-in logs to correlate the user accounts and IP addresses.
  4. Output: The result includes details such as the time of the event, total number of sync events, folders involved, user account details, device type, operating system, and the rare IP address.

  5. Risk Consideration: The query highlights potential risks where adversaries might sync OneDrive data to their devices from unusual IPs, possibly indicating data theft.

  6. False Positives: Large file uploads from new IPs might trigger this query, so these scenarios should be reviewed to confirm if they are legitimate or not.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AADSignInEventsBetaCloudAppEventsSigninLogs

Keywords

CloudAppEventsAADSignInEventsBetaSigninLogsOneDriveIPAddressAccountObjectIdAccountIdAccountDisplayNameDeviceTypeOSPlatform

Operators

let//|wheresummarizecount()by<==extendsplit()parse_url()Path[ ]make_set()bin()joinkind=inneronproject

MITRE Techniques

Actions

GitHub