hr or finance personnel legitimately searching for employee or financial records.

Techniques

Sample rules

M365 SharePoint Search for Sensitive Content

source: elastic
technicques:
- T1213
- T1530
- T1619

Description

Identifies search queries in SharePoint containing sensitive terms related to credentials, financial data, PII, legal matters, or infrastructure information. Adversaries who compromise user accounts often search for high-value files before exfiltration. This rule detects searches containing terms across multiple sensitivity categories, regardless of the access method (browser, PowerShell, or API). The actual search query text is analyzed against a curated list of sensitive terms to identify potential reconnaissance activity.

Detection logic

web where event.dataset == "o365.audit" and
    event.provider == "SharePoint" and
    event.action == "SearchQueryPerformed" and
    event.outcome == "success" and
    o365.audit.SearchQueryText != null and
    o365.audit.SearchQueryText != "" and
    o365.audit.SearchQueryText like~ (
        /* Credentials and Secrets */
        "*password*", "*credential*", "*secret*", "*api key*", "*apikey*",
        "*token*", "*private key*", "*certificate*", "*ssh*", "*aws*",
        "*azure*", "*gcp*", "*oauth*", "*bearer*", "*connection string*",
        "*access key*", "*secret key*",
        /* Financial */
        "*salary*", "*payroll*", "*compensation*", "*budget*", "*revenue*",
        "*financial*", "*banking*", "*invoice*", "*wire transfer*", "*account number*",
        "*credit card*", "*routing number*", "*profit*", "*expense*", "*1099*",
        /* Legal and Compliance */
        "*confidential*", "*privileged*", "*attorney*", "*legal hold*", "*settlement*",
        "*contract*", "*nda*", "*merger*", "*acquisition*", "*litigation*",
        "*subpoena*", "*trade secret*", "*intellectual property*", "*proprietary*",
        "*internal*", "*proposal*", "*poc*",
        /* HR and PII */
        "*ssn*", "*social security*", "*employee*", "*personnel*", "*performance review*",
        "*termination*", "*tax*", "*w2*", "*benefits*", "*background check*",
        "*medical*", "*hipaa*", "*passport*", "*driver license*", "*dob*",
        /* Infrastructure and IT */
        "*admin*", "*root*", "*vpn*", "*firewall*", "*network diagram*",
        "*architecture*", "*topology*", "*production*", "*database*", "*config*",
        "*backup*", "*disaster recovery*", "*vulnerability*", "*pentest*", "*security audit*",
        "*salesforce*"
    )