Update o365_exfiltration_via_file_sync_download.yml

nterl0k · web-flow · commit 1ac26e3bc855 · 2025-02-02T12:31:31.000-05:00
update search yaml for better readability / remove single quote in SPL issues
diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml
@@ -8,15 +8,16 @@ type: Anomaly
 description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
 data_source: 
 - Office 365 Universal Audit Log
-search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*"
-| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
-| where NOT match(SiteUrl,user_flat)
-| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
-| rename SiteUrl as file_path,Workload as app
-| where count > 50
-| `security_content_ctime(firstTime)` 
-| `security_content_ctime(lastTime)`
-| `o365_exfiltration_via_file_sync_download_filter`'
+search: |-
+  `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*"
+  | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
+  | where NOT match(SiteUrl,user_flat)
+  | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
+  | rename SiteUrl as file_path,Workload as app
+  | where count > 50
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_exfiltration_via_file_sync_download_filter`
 how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
 known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed.
 references:
