KQL Search

Query Details

HomeAI ToolsDevice Query

Technique Profile E Discovery Misuse Detection

Query

// Technique profile eDiscovery misuse detection

// Microsoft has recently identified multiple threat actors exploiting the eDiscovery feature, particularly targeting email data. When misused, this feature allows threat actors to swiftly export emails and other data from Microsoft services like OneDrive, SharePoint, and Teams. This enables them to analyze the data later without the risk of losing access prematurely. Although the methods of misuse can vary, organizations should vigilantly monitor eDiscovery for potential exfiltration activities. The Threat Analytics Report provided KQL detections cover standard eDiscovery activity detection via Microsoft DefenderXDR. My enhanced detections below incorporate CloudApp UEBA for more precise identification of suspicious eDiscovery activities.

// Threat Analytics Report (Technique Profile: eDiscovery misuse)
// Link: https://security.microsoft.com/threatanalytics3/28a90de8-bd26-4aa5-8597-acdffdebaeb0/analystreport

let eDiscoveryActions = pack_array("SearchStarted", "SearchExported", "SearchReport", 
"SearchResultExported", "SearchResultDownloaded","PreviewItemDownloaded");
let UEBADetection = dynamic(["ActionType", "CountryCode", "ISP", "OSPlatform", "UserAgent"]);
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType in (eDiscoveryActions)
| where UncommonForUser has_any (UEBADetection)

// MITRE ATT&CK
// Exfiltration Over Web Service (T1567)

Explanation

This KQL query is designed to detect potential misuse of the eDiscovery feature in Microsoft services, which could indicate data exfiltration activities by threat actors. Here's a simplified breakdown of the query:

  1. Purpose: The query aims to identify suspicious eDiscovery activities that might suggest unauthorized data exportation, particularly of email data, from Microsoft services like OneDrive, SharePoint, and Teams.

  2. Context: Microsoft has observed threat actors exploiting eDiscovery to export data for later analysis, avoiding immediate detection or loss of access.

  3. Detection Enhancements: The query uses enhanced detection methods by incorporating User and Entity Behavior Analytics (UEBA) to improve the precision of identifying suspicious activities.

  4. Query Components:

    • eDiscoveryActions: A list of specific eDiscovery actions that are monitored, such as starting a search, exporting search results, and downloading items.
    • UEBADetection: A set of user behavior attributes (like ActionType, CountryCode, ISP, OSPlatform, UserAgent) used to identify uncommon activities for a user.
    • CloudAppEvents: The data source being queried, which logs cloud application events.
    • Filters:
      • The query looks at events from the past hour (Timestamp > ago(1h)).
      • It filters for actions that match the specified eDiscovery actions.
      • It further filters for activities that are uncommon for the user based on the UEBA attributes.

  5. Security Framework: The query aligns with the MITRE ATT&CK framework, specifically the technique "Exfiltration Over Web Service" (T1567), indicating that the misuse involves data exfiltration via web services.

Overall, this query helps organizations monitor and detect potential eDiscovery misuse, enhancing their security posture against data exfiltration threats.

Details

Steven Lim profile picture

Steven Lim

Released: October 11, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsActionTypeCountryCodeISPOSPlatformUserAgentTimestampeDiscoveryActionsUEBADetectionMicrosoftDefenderXDROneDriveSharePointTeams

Operators

pack_arraydynamicinwherehas_anyago

Actions