What Changed

New solution for Filewall (ODI-X) integrating Microsoft 365 data exfiltration protection across Exchange, SharePoint, OneDrive, and Teams. Includes complete CCF connector infrastructure, parsers, detections, and operational workbook.

Data Source

Filewall for Microsoft 365 provides email and file security monitoring across the Microsoft 365 ecosystem. The solution targets data exfiltration attempts through email attachments and file sharing activities.

Ingestion Mechanism

CCF-based connector with DCR ingestion into two custom tables:

  • FilewallExchange_CL — Exchange email events and attachment blocking
  • FilewallFile_CL — SharePoint/OneDrive/Teams file events

Four polling connections target different Microsoft 365 services using the Filewall API endpoint.

Detection Coverage

Two high-severity analytic rules provide immediate alerting:

  • Blocked Emails — Detects emails blocked by Filewall with T1048 (Exfiltration Over Alternative Protocol) mapping
  • Blocked Files — Identifies files blocked across SharePoint/OneDrive/Teams with T1048 mapping

Both rules use 5-minute frequency with immediate incident creation and entity mapping for Account, MailMessage, and File entities.

Parser Impact

Two KQL workspace functions normalize Filewall events into standardized schema:

  • FilewallM365ExchangeEvent() — Normalizes exchange events with email metadata, policy details, and threat indicators
  • FilewallM365FileEvent() — Normalizes file events with hash values, path information, and actor details

Both parsers map status values to EventType/EventResult and include comprehensive entity extraction for correlation.

MITRE Coverage

T1048 (Exfiltration Over Alternative Protocol) — Detections target data exfiltration attempts through email attachments and file sharing mechanisms across Microsoft 365 services.

Affected Files

.script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365ExchangeEvent.json
.script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365FileEvent.json
.script/tests/KqlvalidationsTests/CustomTables/FilewallExchange_CL.json
.script/tests/KqlvalidationsTests/CustomTables/FilewallFile_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/filewall-logo.svg
Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedEmails.yaml
Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_ConnectorDefinition.json
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_DCR.json
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_PollingConfig.json
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_Table.json
Solutions/Filewall for Microsoft 365/Package/testParameters.json
Solutions/Filewall for Microsoft 365/Parsers/FilewallM365ExchangeEvent.yaml
Solutions/Filewall for Microsoft 365/Parsers/FilewallM365FileEvent.yaml
Solutions/Filewall for Microsoft 365/Workbooks/FilewallM365Overview.json
Solutions/Filewall for Microsoft 365/Workbooks/Images/Logos/filewall-logo.svg
Solutions/Filewall for Microsoft 365/Workbooks/Images/Preview/FilewallM365OverviewBlack.png
Solutions/Filewall for Microsoft 365/Workbooks/Images/Preview/FilewallM365OverviewWhite.png
Workbooks/FilewallM365Overview.json
Workbooks/Images/Logos/filewall-logo.svg
Workbooks/Images/Preview/FilewallM365OverviewBlack.png
Workbooks/Images/Preview/FilewallM365OverviewWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_FilewallM365.json, createUiDefinition.json, mainTemplate.json)