DropBox - Massive File Alterations
This rule detects more than 100 edited files during an hour by the same user. This is a suspicious behavior which can be an indication of a ransomware attack
Dropbox HIGH OTHER
Details
| ID | 6de99f56-dfbf-40e0-bffd-bffe0a543cf5 |
|---|---|
| From Version | 6.10.0 |
| Execution Mode | SCHEDULED |
| Crontab | 0 * * * * |
| Search Window | 4 hours |
| Dataset | alerts |
MITRE ATT&CK
-
TA0040 - Impact
- T1486 - Data Encrypted for Impact
XQL Query
datamodel dataset = dropbox_dropbox_raw | filter xdm.event.type = "file_operations" and xdm.event.operation_sub_type = "file_edit" | alter user = coalesce(xdm.source.user.username, xdm.target.user.username) | comp values(xdm.source.ipv4) as SourceIP, values(xdm.source.location.country) as Countries, max(_time) as lastTime, values(xdm.target.resource.name) as Files, count() as NumberOfFiles by user | filter NumberOfFiles > 100
Investigation Query
datamodel dataset = dropbox_dropbox_raw | filter xdm.event.type = "file_operations" and xdm.event.operation_sub_type = "file_edit" | alter user = coalesce(xdm.source.user.username, xdm.target.user.username) | filter user=$user