Forum Discussion

akl472's avatar
akl472
Copper Contributor
Jan 22, 2025

How does Defender detect file version limit default changes?

Hi all,

 

I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves.

All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data.

My questions are:

  1. Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres?
  2. How do I find out whether such a change has been made?
  3. Is there an alert already configured in Defender to detect such a change?
  4. If not, does anyone know how to set one up, e.g., KQL and a custom detection?

 

I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.

alerts
threat hunting
  • akl472's avatar
    akl472
    Copper Contributor
    Feb 27, 2025

    Amazing, thank you! I don't have Sentinel, but do you know what table I need to query and what I need to look for using KQL to monitor for this?

     

    • luchete's avatar
      luchete
      Steel Contributor
      Feb 28, 2025

      Hey akl472,

      You're welcome! If you don't have Sentinel, you can still use Defender for Endpoint and KQL to monitor for changes. For file version changes, the table you're most likely to query is AuditLog or SecurityAlert depending on the activity you're monitoring. Specifically, you would want to look for changes to file versioning settings, which may be logged under activity related to OneDrive or SharePoint.

      In KQL, you can create a query like this:

      AuditLog
| where ActivityDisplayName == "Change file versioning settings"
| where ResourceType == "OneDrive" or ResourceType == "SharePoint"
| project TimeGenerated, UserPrincipalName, Resource, ActivityDisplayName

      You can tailor the query to look for specific file or folder actions related to versioning changes or unusual file behavior. This will give you an idea of changes made to the version settings.

      Regards!

      • akl472's avatar
        akl472
        Copper Contributor
        Feb 28, 2025

        Amazing, thank you!

         

        However, in Defender I don’t have the AuditLog or SecurityAlert tables to query. Do you know which tables would have this ActivityDisplayName, or alternative ActionType/name?

  • luchete's avatar
    luchete
    Steel Contributor
    Feb 03, 2025

    Hi akl472!

    To find the current file version limit settings, you can check the OneDrive or SharePoint admin centers under the storage settings for versioning. To see if the limit has been changed, you’ll need to look at the version history or activity logs. Defender doesn’t automatically alert for changes to file version limits, but you can set up a custom detection using KQL queries in Microsoft Sentinel or Defender for Endpoint. You’d need to monitor for any changes to version settings or unusual file activity.

    Regards!

Resources