One Drive Sync From Rare IP

# OneDrive Sync From Rare IP ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1530 | Data from Cloud Storage | https://attack.mitre.org/techniques/T1530/ | #### Description This query combines the CloudAppEvents table and the SignInLogs from Entra ID to hunt for OneDrive Sync activities from a rare IP address. The variables should be set based on your needs. False Positive Consideration: - Big file Uploads from new IPs #### Risk Adversaries may sync a OneDrive to their device to exfiltrate the data. ## Defender XDR ```KQL let Threshold = 1500; // Change depeding on org needs. let TimeFrame = 10m; let EntraUserIPInfo = AADSignInEventsBeta // Filter only successful logins | where ErrorCode == 0 | summarize IPEventCount = count() by IPAddress, AccountObjectId | where IPEventCount < 500; CloudAppEvents | where ActionType == "FileSyncUploadedFull" | extend BaseFolder = split(parse_url(ObjectName).Path, "/")[3] | summarize TotalEvents = count(), BaseFolders = make_set(BaseFolder, 25) by bin(TimeGenerated, TimeFrame), AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress | where TotalEvents >= Threshold // Filter if the activity happens in combination with a rare IP | join kind=inner EntraUserIPInfo on $left.AccountId == $right.AccountObjectId | project TimeGenerated, TotalEvents, BaseFolders, AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress, IPEventCount ``` ## Sentinel ```KQL let Threshold = 1500; // Change depeding on org needs. let TimeFrame = 10m; let EntraUserIPInfo = SigninLogs // Filter only successful logins | where ResultType == 0 | summarize IPEventCount = count() by IPAddress, UserId | where IPEventCount < 500; CloudAppEvents | where ActionType == "FileSyncUploadedFull" | extend BaseFolder = split(parse_url(ObjectName).Path, "/")[3] | summarize TotalEvents = count(), BaseFolders = make_set(BaseFolder, 25) by bin(TimeGenerated, TimeFrame), AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress | where TotalEvents >= Threshold // Filter if the activity happens in combination with a rare IP | join kind=inner EntraUserIPInfo on $left.AccountId == $right.UserId | project TimeGenerated, TotalEvents, BaseFolders, AccountId, AccountDisplayName, DeviceType, OSPlatform, IPAddress, IPEventCount ```

Explanation

Summary of the Query

Purpose:

The query aims to identify OneDrive sync activities from rare IP addresses, which could indicate potential data exfiltration by adversaries.

Key Components:

Threshold and TimeFrame:
- Threshold: Minimum number of sync events (default is 1500).
- TimeFrame: Time window for counting events (default is 10 minutes).
Data Sources:
- CloudAppEvents: Logs related to cloud application activities.
- SignInLogs (Entra ID): Logs related to user sign-ins.
Steps:
- Filter Successful Logins: Only consider successful login attempts.
- Identify Rare IPs: Count login events per IP and user. Consider IPs with fewer than 500 events as rare.
- Identify OneDrive Syncs: Look for OneDrive sync activities (FileSyncUploadedFull).
- Aggregate Data: Summarize sync events by time, user, device, and IP.
- Filter by Threshold: Only consider cases where the number of sync events meets or exceeds the threshold.
- Join with Rare IPs: Combine sync data with rare IP data to identify suspicious activities.

False Positives:

Large file uploads from new IP addresses could trigger false positives.

Risk:

Adversaries might use OneDrive sync to exfiltrate data from the organization.

Simplified Explanation:

This query helps detect unusual OneDrive sync activities from rare IP addresses, which might indicate unauthorized data transfer. It does this by:

Filtering for successful logins.
Identifying IP addresses that are rarely used.
Looking for significant OneDrive sync activities.
Combining this information to highlight potentially suspicious behavior.

KQL Search