Elastic Security Detection Rules

M365 SharePoint/OneDrive File Access via PowerShell

Last updated 3 days ago on 2026-02-24
Created 3 days ago on 2026-02-24

About

Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.
Tags
Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: CollectionTactic: ExfiltrationLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

Data from Information Repositories (T1213)(external, opens in a new tab or window)

Data from Cloud Storage (T1530)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

False Positive Examples
Legitimate automation scripts using PowerShell to interact with SharePoint or OneDrive for business purposes.IT administrators using PnP PowerShell for site management, migration, or backup operations.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-o365.audit-*
Related Integrations

o365(external, opens in a new tab or window)

Query
text code block:
event.dataset: "o365.audit" and
    event.provider: ("SharePoint" or "OneDrive") and
    event.action: ("FileDownloaded" or "FileAccessed") and
    event.outcome: "success" and
    user_agent.original: (*PowerShell* or *PnPPS* or *PnPCoreSDK* or *SharePointPnP*)

Install detection rules in Elastic Security

Detect M365 SharePoint/OneDrive File Access via PowerShell in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).