Skip to content

Commit 0adf977

Browse files
nterl0knterl0k
authored
Update o365_sharepoint_suspicious_search_behavior.yml
1 parent fd1b9e8 commit 0adf977

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

detections/cloud/o365_sharepoint_suspicious_search_behavior.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ data_source:
1010
- Office 365 Universal Audit Log
1111
search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*
1212
| where NOT (match(SearchQueryText, "\*") OR match(SearchQueryText,"(\*)"))
13-
| eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name='EventData', command = SearchQueryText, -time = _time
13+
| eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=EventData, command = SearchQueryText, -time = _time
1414
| bin _time span=1hr
1515
| stats values(object_name) as object_name values(command) as command, values(src) as src, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
1616
| where count > 20 OR match(command, "(?i)password|credential|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing")

0 commit comments

Comments
 (0)