Techniques
Sample rules
O365 SharePoint Suspicious Search Behavior
- source: splunk
- technicques:
- T1213.002
- T1552
Description
The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities.
Detection logic
`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*) OR Operation=SearchQueryInitiatedSharepoint
| eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null())
| where command != "*" AND command != "(*)"
| bin _time span=1hr
| `o365_sharepoint_suspicious_search_behavior_filter`
| stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
| where count > 20 OR suspect_terms_count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
O365 Email Suspicious Search Behavior
- source: splunk
- technicques:
- T1114.002
- T1552
Description
The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities.
Detection logic
`o365_management_activity` Operation=SearchQueryInitiatedExchange
| eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null())
| where command != "*" AND command != "(*)"
| bin _time span=1hr
| `o365_email_suspicious_search_behavior_filter`
| stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time
| where count > 20 OR suspect_terms_count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`