Anomaly rule detects when a Windows system uses net.exe or net1.exe to mount a OneDrive share as a network drive, i.e., a WebDAV path (https://d.docs.live.net). This can indicate staging, accessing, or exfiltrating data via cloud storage rather than a traditional file share. The detection relies on endpoint telemetry (Sysmon EventID 1, Windows Security log 4688, and CrowdStrike ProcessRollup2) mapped to the Endpoint Processes data model. The search targets command lines that include both a net use pattern and the OneDrive WebDAV URL, then aggregates on process, user, destination, and related metadata to identify the initiating process and host. A Windows OneDrive share mount via Net filter is produced as an alert, with a risk/alert message such as “Potential OneDrive share mounted on <dest> via <process>.” Legitimate usage (e.g., authorized OneDrive syncing or backups) can generate false positives, so consider whitelisting or validating intent for anomaly tuning. The technique corresponds to MITRE ATT&CK T1567.002 (Exfiltration to Cloud Storage via WebDAV).