Update o365_sharepoint_suspicious_search_behavior.yml

update to v5 yaml spec / update search yaml for better readability / remove single quote in SPL issues

Author: nterl0k

detections/cloud/o365_sharepoint_suspicious_search_behavior.yml

@@ -8,15 +8,16 @@ type: Anomaly
 description: The following analytic identifies when the O365 SharePoint users search for suspicious keywords or have an excessive number of queries within a limited timeframe. This behavior may indicate malicious actor enumeration of SharePoint based data within O365.
 data_source: 
 - Office 365 Universal Audit Log
-search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*
-| where NOT (match(SearchQueryText, "\*") OR match(SearchQueryText,"(\*)"))
-| eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=EventData, command = SearchQueryText, -time = _time 
-| bin _time span=1hr
-| stats values(object_name) as object_name values(command) as command, values(src) as src, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
-| where count > 20 OR match(command, "(?i)password|credential|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing")
-| `security_content_ctime(firstTime)` 
-| `security_content_ctime(lastTime)`
-| `o365_sharepoint_suspicious_search_behavior_filter`'
+search: |-
+  `o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*
+  | where NOT (match(SearchQueryText, "\*") OR match(SearchQueryText,"(\*)"))
+  | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=EventData, command = SearchQueryText, -time = _time 
+  | bin _time span=1hr
+  | stats values(object_name) as object_name values(command) as command, values(src) as src, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
+  | where count > 20 OR match(command, "(?i)password|credential|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing")
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_sharepoint_suspicious_search_behavior_filter`
 how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
 known_false_positives: Users searching excessively or possible false positives related to matching conditions.
 references:
@@ -35,15 +36,21 @@ drilldown_searches:
   search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: The SharePoint Online was searched suspiciously by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: src
+    type: ip_address
 tags:
   analytic_story: 
   - Azure Active Directory Persistence
   - Office 365 Account Takeover
   - CISA AA22-320A
   asset_type: O365 Tenant
-  confidence: 50
-  impact: 50
-  message: The SharePoint Online was searched suspiciously by $user$
   mitre_attack_id: 
   - T1213.002 
   - T1552
@@ -56,14 +63,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields: 
-  - Workload
-  - Operation
-  - SearchQueryText
-  - EventData
-  - UserId
-  - _time
-  risk_score: 25
   security_domain: threat
 tests:
 - name: True Positive Test