You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/cloud/o365_exfiltration_via_file_access.yml
+11-10Lines changed: 11 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -8,16 +8,17 @@ type: Anomaly
8
8
description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.
9
9
data_source:
10
10
- Office 365 Universal Audit Log
11
-
search: '`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
12
-
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
13
-
| where NOT match(SiteUrl,user_flat)
14
-
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
15
-
| eventstats avg(count) as avg stdev(count) as stdev by Workload
16
-
| rename SiteUrl as file_path,Workload as app
17
-
| where count > 50 AND count > (avg + (3*(stdev)))
18
-
| `security_content_ctime(firstTime)`
19
-
| `security_content_ctime(lastTime)`
20
-
| `o365_exfiltration_via_file_access_filter`'
11
+
search: |-
12
+
`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
13
+
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
14
+
| where NOT match(SiteUrl,user_flat)
15
+
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
16
+
| eventstats avg(count) as avg stdev(count) as stdev by Workload
17
+
| rename SiteUrl as file_path,Workload as app
18
+
| where count > 50 AND count > (avg + (3*(stdev)))
19
+
| `security_content_ctime(firstTime)`
20
+
| `security_content_ctime(lastTime)`
21
+
| `o365_exfiltration_via_file_access_filter`
21
22
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
22
23
known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed.
0 commit comments