O365_SharePoint_OneDrive_FileUploaded_Multiple
ID: 100488
Description:
An aggregation rule to track Sharepoint, specifically OneDrive, FileUploaded events in Office365 Audit logs.
This rule will trigger when the number of events per one (1) hour exceeds 20. This indicates that a particular user may be quickly uploading larger number of files than would be expected. Possible false positives occur when sync/backup operations occur, or when a particular user normally handles larger number of files in Office365.
Notes: Corresponding rule O365_SharePoint_OneDrive_FileUploaded tracks suspicious single events related to Office365 SharePoint (OneDrive) file uploads
Repository: Group: Office365 Type: event
Default Status:
Enabled
| Tags: |
|---|
| O365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | FileUploaded |
| @fields.Workload | OneDrive |
| @fields.EventSource | SharePoint |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| IP | @fields.ClientIP |
| Country | @fields._ip.country |
| City | @fields._ip.city |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| ISP | @fields._ip.isp |
| SourceFileName | @fields.SourceFileName |
| UserAgent | @fields.UserAgent |
Correlation Rules:
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| MultipleEvents | 1 hour | count | gt 20 | |
| Risks: | ALERT_POLICY | BANDWIDTH_ANOMALY |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2022 Jan 15 10:48:02 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)