/
sharepoint_downloads.yaml
39 lines (39 loc) · 1.39 KB
/
sharepoint_downloads.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
id: e8ae1375-4640-430c-ae8e-2514d09c71eb
name: SharePointFileOperation via clientIP with previously unseen user agents
description: |
'New user agents associated with a clientIP for SharePoint file uploads/downloads.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let historicalUA=
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(lookback..starttime)
| summarize by ClientIP, UserAgent;
let recentUA = OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(starttime..endtime)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by ClientIP, UserAgent;
recentUA | join kind=leftanti (
historicalUA
) on ClientIP, UserAgent
// Some OfficeActivity records do not contain ClientIP information - exclude these for fewer results
| where not(isempty(ClientIP))
| extend IP_0_Address = ClientIP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 2.0.1