kqlMITfrom Azure/Azure-Sentinel
CreepyDrive request URL sequence
'CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths. This detecton will alert when over 20 sequences are observed in a single day.'
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourceDetections/CommonSecurityLog/CreepyDriveRequestSequence.yaml
let eventsThreshold = 20;
CommonSecurityLog
| where isnotempty(RequestURL)
| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName
| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has "login.microsoftonline.com/consumers/oauth2/v2.0/token"), graph=(RequestURL has "graph.microsoft.com/v1.0/me/drive/"), SourceIP, SourceHostName)
| summarize Events=count() by SourceIP, SourceHostName
| where Events >= eventsThreshold