[Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads

[terrancedejesus]

Summary

Tuning the M365 OneDrive/SharePoint Excessive File Downloads rule to reduce false positives and improve detection coverage.

Changes

Excluded First-Party Microsoft Applications

Added exclusions for noisy first-party Microsoft applications that generate legitimate high-volume file download activity:

• 08e18876-6177-487e-b8b5-cf950c1e598c - SharePoint Online Web Client Extensibility
• fb8d773d-7ef8-4ec0-a117-179f88add510 - Enterprise Copilot Platform
• d3590ed6-52b3-4102-aeff-aad2292ab01c - Microsoft Office
• 7ab7862c-4c57-491e-8a45-d52a7e023983 - App Service

Removed OAuth Authentication Requirement

Removed the OAuth-specific filtering to expand detection coverage. Previously, the rule was scoped to OAuth-based authentication methods, which could result in false negatives when adversaries access OneDrive/SharePoint through other authentication methods besides OAuth phishing (e.g., Device Code Authentication phishing).

Updated Investigation Guide

• Renamed investigation guide section title to match the rule name
• Added guidance to review token.id field to determine if OAuth authentication was used

Updated References

Added references related to recent threat actor TTPs:

• Google Cloud - ShinyHunters SaaS Data Theft

Notes

• The event.provider will always be OneDrive for the FileDownloaded event action
• This rule will fire on both SharePoint and OneDrive downloads since we do not filter on M365 data source exclusively for either
• These changes align with observed ShinyHunters TTPs targeting cloud storage for data exfiltration