Link Search Menu Expand Document

O365_SharePoint_FileAccessed_Multiple

ID: 100486

Description:

An aggregation rule to track Sharepoint FilePreviewed OR FileDownloaded OR FileAccessed events in Office365 Audit logs.

This rule will trigger when the number of events per one (1) hour exceeds 100. This indicates that a particular user may be quickly viewing/downloading larger number of files than would be expected. Possible false positives occur when sync/backup operations occur, or when a particular user normally handles larger number of files in Office365.

Notes: Corresponding rule O365_SharePoint_FileAccessed tracks suspicious single events related to Office365 file access

Repository: Fluency Group: Office365 Type: event

Default Status:

Enabled

Tags:
Office365
 

Selector:

Query:

Filters:

Field MUST hit
@sender office365
@fields.Operation FilePreviewed
  FileDownloaded
  FileAccessed
@fields.EventSource SharePoint
Field MUST NOT hit
@fields._ip.isp Microsoft Corporation

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
Operation @fields.Operation
Username @fields.UserId
Workload @fields.Workload
City @fields._ip.city
Country @fields._ip.country
FileName @fields.SourceFileName
IP @fields.ClientIP
ISP @fields._ip.isp

Correlation Rules:

Aggregation:

Name Window Field AggType Match
FilesAccessed 1 hour @fields.SourceFileName cardinality gt 100
  Risks: FILE_DOWNLOAD ALERT_POLICY  

History:

User Date
em*n@fluencysecurity.com 2021 Mar 16 03:01:08 EDT
em*n@fluencysecurity.com 2021 Mar 16 17:25:35 EDT
em*n@fluencysecurity.com 2021 Mar 16 17:29:19 EDT
em*n@fluencysecurity.com 2021 Mar 18 09:37:25 EDT
ho*d@fluencysecurity.com 2021 Jul 15 14:01:33 EDT
ho*d@fluencysecurity.com 2021 Jul 15 14:02:44 EDT
ho*d@fluencysecurity.com 2021 Aug 31 20:46:35 EDT
ho*d@fluencysecurity.com 2021 Oct 26 17:35:55 EDT
ho*d@fluencysecurity.com 2021 Dec 23 13:43:01 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)