One Drive Sync From Rare IP
Query
let Threshold = 1500; // Change depeding on org needs.
let TimeFrame = 10m;
let EntraUserIPInfo = AADSignInEventsBeta
// Filter only successful logins
| where ErrorCode == 0
| summarize IPEventCount = count() by IPAddress, AccountObjectId
| where IPEventCount < 500;
CloudAppEvents
| where ActionType == "FileSyncUploadedFull"
| extend BaseFolder = split(parse_url(ObjectName).Path, "/")[3]
| summarize TotalEvents = count(), BaseFolders = make_set(BaseFolder, 25) by bin(TimeGenerated, TimeFrame), AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress
| where TotalEvents >= Threshold
// Filter if the activity happens in combination with a rare IP
| join kind=inner EntraUserIPInfo on $left.AccountId == $right.AccountObjectId
| project TimeGenerated, TotalEvents, BaseFolders, AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress, IPEventCountAbout this query
Explanation
This query is designed to detect potentially suspicious OneDrive synchronization activities from unusual IP addresses. Here's a simplified breakdown:
-
Purpose: The query aims to identify OneDrive sync activities that occur from IP addresses that are not commonly used by the user. This could indicate unauthorized access or data exfiltration attempts.
-
Data Sources:
- CloudAppEvents: This table logs OneDrive sync activities.
- SignInLogs (or AADSignInEventsBeta): This table logs user sign-in activities, including the IP addresses used.
-
Process:
- Threshold Setting: The query looks for sync activities where a large number of files (at least 1500) are uploaded within a 10-minute window. This threshold can be adjusted based on organizational needs.
- Identify Rare IPs: It identifies IP addresses that have been used for fewer than 500 successful logins by a user. These are considered "rare" IPs.
- Filter and Join: The query filters for OneDrive sync activities that meet the threshold and occur from these rare IPs. It then joins this data with the sign-in logs to correlate the user accounts and IP addresses.
-
Output: The result includes details such as the time of the event, total number of sync events, folders involved, user account details, device type, operating system, and the rare IP address.
-
Risk Consideration: The query highlights potential risks where adversaries might sync OneDrive data to their devices from unusual IPs, possibly indicating data theft.
-
False Positives: Large file uploads from new IPs might trigger this query, so these scenarios should be reviewed to confirm if they are legitimate or not.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators
MITRE Techniques