O365_SharePoint_FileAccessed
ID: 100485
Description:
An behavior rule to track Sharepoint FilePreviewed OR FileDownloaded OR FileAccessed events in Office365 Audit logs.
This rule will trigger when a user performs file view/access operations from a different location than normal. This could be an indicator of compromise, or a company policy violation.
Notes: Corresponding rule O365_SharePoint_FileAccessed_Multiple tracks multiple / greater-than-expected number of events related to Office365 file access
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: |
|---|
| Office365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | FilePreviewed |
| FileDownloaded | |
| FileAccessed | |
| @fields.EventSource | SharePoint |
| Field | MUST NOT hit |
|---|---|
| @fields._ip.isp | Microsoft Corporation |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| Operation | @fields.Operation |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| City | @fields._ip.city |
| Country | @fields._ip.country |
| FileName | @fields.SourceFileName |
| IP | @fields.ClientIP |
| ISP | @fields._ip.isp |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewISP | 30 days | @fields._ip.isp |
| Risks: | SUSPICIOUS_GEO | |
| NewCountry | 30 days | @fields._ip.country |
| Risks: | ML_NEW_GEO_COUNTRY |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Aug 31 20:38:05 EDT |
| ho*d@fluencysecurity.com | 2021 Aug 31 20:43:01 EDT |
| ke*y@fluencysecurity.com | 2021 Nov 2 04:19:58 EDT |
| ho*d@fluencysecurity.com | 2021 Dec 23 13:43:01 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)