In addition to ASIM advantages: cross source analytics, source agnostic rules, and ease of use, the File Activity Schema lets you write rules that span endpoint, server, and cloud activity. We have included parsers for Sysmon, Microsoft 365 Defender for Endpoint, SharePoint, OneDrive, and Azure Storage. For example:
Analyzing file activity is instrumental for ransomware detection. Now your on-prem ransomware analytics can secure cloud workloads.
When looking for malware leftovers, you will find them on the affected endpoints and on cloud services that may have served to spread them.