File tree Expand file tree Collapse file tree 1 file changed +10
-21
lines changed Expand file tree Collapse file tree 1 file changed +10
-21
lines changed Original file line number Diff line number Diff line change @@ -37,38 +37,27 @@ drilldown_searches:
3737 search : ' `o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"'
3838 earliest_offset : $info_min_time$
3939 latest_offset : $info_max_time$
40+ rba :
41+ message : The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
42+ risk_objects :
43+ - field : user
44+ type : user
45+ score : 20
46+ threat_objects :
47+ - field : src
48+ type : src
4049tags :
4150 analytic_story :
4251 - Data Exfiltration
4352 - Office 365 Account Takeover
44- asset_type : O365 Tenant
45- confidence : 50
46- impact : 40
47- message : The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
53+ asset_type : O365 Tenant
4854 mitre_attack_id :
4955 - T1567
5056 - T1530
51- observable :
52- - name : user
53- type : User
54- role :
55- - Victim
56- - name : src
57- type : IP Address
58- role :
59- - Attacker
6057 product :
6158 - Splunk Enterprise
6259 - Splunk Enterprise Security
6360 - Splunk Cloud
64- required_fields :
65- - _time
66- - Operation
67- - UserId
68- - SourceFileExtension
69- - Workload
70- - SiteUrl
71- risk_score : 20
7261 security_domain : threat
7362tests :
7463- name : True Positive Test
You can’t perform that action at this time.
0 commit comments