O365_SharePoint_OneDrive_FileUploaded
ID: 100225
Description:
A behavior rule to track Sharepoint, specifically OneDrive, FileUploaded events in Office365 Audit logs.
This rule will trigger when a user performs file upload operations from a different location than normal. This could be an indicator of compromise, or a company policy violation.
This rule will trigger when the number of events per one (1) hour exceeds 20. This indicates that a particular user may be quickly uploading larger number of files than would be expected. Possible false positives occur when sync/backup operations occur, or when a particular user normally handles larger number of files in Office365.
Notes: Corresponding rule O365_SharePoint_OneDrive_FileUploaded_Multiple tracks multiple / greater-than-expected number of events related to Office365 SharePoint (OneDrive) file uploads
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: |
|---|
| O365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Operation | FileUploaded |
| @fields.Workload | OneDrive |
| @fields.EventSource | SharePoint |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| IP | @fields.ClientIP |
| Country | @fields._ip.country |
| City | @fields._ip.city |
| Username | @fields.UserId |
| Workload | @fields.Workload |
| ISP | @fields._ip.isp |
| SourceFileName | @fields.SourceFileName |
| UserAgent | @fields.UserAgent |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewCountry | 30 days | @fields._ip.country |
| Risks: | ML_NEW_GEO_COUNTRY | |
| NewISP | 30 days | @fields._ip.isp |
| Risks: | SUSPICIOUS_GEO |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Mar 31 10:50:33 EDT |
| ho*d@fluencysecurity.com | 2021 Mar 31 11:16:41 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 15 00:07:44 EDT |
| ke*y@fluencysecurity.com | 2021 Nov 2 04:18:57 EDT |
| ho*d@fluencysecurity.com | 2022 Jan 15 10:51:59 EST |
| ke*y@fluencysecurity.com | 2022 Feb 18 01:12:43 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)