Techniques
Sample rules
O365 Exfiltration via File Download
- source: splunk
- technicques:
- T1567
- T1530
Description
The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it’s own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts.
Detection logic
`o365_management_activity` Operation IN ("filedownloaded")
| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
| rename SiteUrl as file_path,Workload as app
| where count > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_exfiltration_via_file_download_filter`