Elastic Security Detection Rules

M365 OneDrive Excessive File Downloads with OAuth Token

Last updated a month ago on 2025-11-25
Created 10 months ago on 2025-02-19

About

Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: SharePointData Source: OneDriveUse Case: Threat DetectionTactic: CollectionTactic: ExfiltrationLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

Data from Cloud Storage (T1530)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

False Positive Examples
Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are authorized and the user is known before taking action.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
from logs-o365.audit-*
| where
    event.dataset == "o365.audit" and
    event.provider == "OneDrive" and
    event.action == "FileDownloaded" and
    o365.audit.AuthenticationType == "OAuth" and
    event.outcome == "success"
    and (user.id is not null and o365.audit.ApplicationId is not null)
| eval session.id = coalesce(o365.audit.AppAccessContext.AADSessionId, session.id, null)
| where session.id is not null
| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| stats
    Esql.file_directory_values = values(file.directory),
    Esql.file_extension_values = values(file.extension),
    Esql.application_name_values = values(application.name),
    Esql.file_name_count_distinct = count_distinct(file.name),
    Esql.o365_audit_Site_values = values(o365.audit.Site),
    Esql.o365_audit_SiteUrl_values = values(o365.audit.SiteUrl),
    Esql.user_domain_values = values(user.domain),
    Esql.token_id_values = values(token.id),
    Esql.event_count = count(*)
by
    Esql.time_window_date_trunc,
    user.id,
    session.id,
    source.ip,
    o365.audit.ApplicationId
| where Esql.file_name_count_distinct >= 25
| keep
    Esql.*,
    user.id,
    source.ip,
    o365.audit.ApplicationId,
    session.id

Install detection rules in Elastic Security

Detect M365 OneDrive Excessive File Downloads with OAuth Token in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).