O365_SharePoint_FileAccessed_Multiple
ID: 100486
Description:
An aggregation rule to track Sharepoint FilePreviewed OR FileDownloaded OR FileAccessed events in Office365 Audit logs.
This rule will trigger when the number of events per one (1) hour exceeds 100. This indicates that a particular user may be quickly viewing/downloading larger number of files than would be expected. Possible false positives occur when sync/backup operations occur, or when a particular user normally handles larger number of files in Office365.
Notes: Corresponding rule O365_SharePoint_FileAccessed tracks suspicious single events related to Office365 file access
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: |
|---|
| Office365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | FilePreviewed |
| FileDownloaded | |
| FileAccessed | |
| @fields.EventSource | SharePoint |
| Field | MUST NOT hit |
|---|---|
| @fields._ip.isp | Microsoft Corporation |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| Operation | @fields.Operation |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| City | @fields._ip.city |
| Country | @fields._ip.country |
| FileName | @fields.SourceFileName |
| IP | @fields.ClientIP |
| ISP | @fields._ip.isp |
Correlation Rules:
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| FilesAccessed | 1 hour | @fields.SourceFileName | cardinality | gt 100 |
| Risks: | FILE_DOWNLOAD | ALERT_POLICY |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 16 03:01:08 EDT |
| em*n@fluencysecurity.com | 2021 Mar 16 17:25:35 EDT |
| em*n@fluencysecurity.com | 2021 Mar 16 17:29:19 EDT |
| em*n@fluencysecurity.com | 2021 Mar 18 09:37:25 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 15 14:01:33 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 15 14:02:44 EDT |
| ho*d@fluencysecurity.com | 2021 Aug 31 20:46:35 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 26 17:35:55 EDT |
| ho*d@fluencysecurity.com | 2021 Dec 23 13:43:01 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)