Data from Cloud Storage T1530

Adversaries may access data from cloud storage.

Events covered

4 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 1 rule above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (6 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Anomalies1gt 10
EventProduct1in 1Azure File Storage, OneDrive, SharePoint
FilePath1contains 1account details, bank account, bank details
OperationName1eq 1FileAccessed
OriginalEvent1ne 1FileSyncDownloadedFull
user1is_not_null 1, ne 1app@sharepoint

Top indicator values (29 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Anomaliesgt
0
1
EventProductin
Azure File Storage
1
EventProductin
OneDrive
1
EventProductin
SharePoint
1
EventProductin
SharePoint 365
1
FilePathcontains
account details
1
FilePathcontains
bank account
1
FilePathcontains
bank details
1
FilePathcontains
bank statement
1
FilePathcontains
bankuberweisung
1
FilePathcontains
closing
1
FilePathcontains
deposit
1
FilePathcontains
funds
1
FilePathcontains
hacked
1
FilePathcontains
invoice
1
FilePathcontains
paiement
1
FilePathcontains
paycheck
1
FilePathcontains
payment
1
FilePathcontains
phishing
1
FilePathcontains
po#
1
FilePathcontains
purchase
1
FilePathcontains
rechnung
1
FilePathcontains
remittance
1
FilePathcontains
transfer
1
FilePathcontains
virement bancaire
1
FilePathcontains
zahlung
1
OperationNameeq
FileAccessed
1
OriginalEventne
FileSyncDownloadedFull
1
userne
app@sharepoint
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Kusto 1 rule