From 098daaf4405ff4222754533e82f86b9a5f7db288 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 10:43:47 -0500 Subject: [PATCH 1/8] Update o365_sharepoint_suspicious_search_behavior.yml --- ..._sharepoint_suspicious_search_behavior.yml | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml index 52449ed52b..8ab7ecfb4f 100644 --- a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml +++ b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml @@ -1,7 +1,7 @@ name: O365 SharePoint Suspicious Search Behavior id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d -version: 1 -date: '2025-01-08' +version: 2 +date: '2025-02-27' author: Steven Dick status: production type: Anomaly @@ -9,18 +9,20 @@ description: The following analytic identifies when the O365 SharePoint users se data_source: - Office 365 Universal Audit Log search: |- - `o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* - | where NOT (match(SearchQueryText, "\*") OR match(SearchQueryText,"(\*)")) - | eval signature_id = CorrelationId, signature=Operation, src = ClientIP, user = UserId, object_name=EventData, command = SearchQueryText, -time = _time - | bin _time span=1hr - | stats values(object_name) as object_name values(command) as command, values(src) as src, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time - | where count > 20 OR match(command, "(?i)password|credential|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing") - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` + `o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*) OR Operation=SearchQueryInitiatedSharepoint + | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) + | where command != "*" AND command != "(*)" + | bin _time span=1hr | `o365_sharepoint_suspicious_search_behavior_filter` + | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time + | where count > 20 OR suspect_terms_count >= 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. known_false_positives: Users searching excessively or possible false positives related to matching conditions. references: +- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events +- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a - https://attack.mitre.org/techniques/T1213/002/ drilldown_searches: @@ -33,22 +35,23 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: Investigate search behavior by $user$ - search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$"' + search: '`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$") OR (OR Operation=SearchQueryInitiatedSharepoint AND UserId = "$user$")' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: The SharePoint Online was searched suspiciously by $user$ + message: The user $user$ searched SharePoint suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. risk_objects: - field: user type: user - score: 25 + score: 35 threat_objects: - field: src type: ip_address tags: analytic_story: - - Azure Active Directory Persistence - Office 365 Account Takeover + - Office 365 Collection Techniques + - Compromised User Account - CISA AA22-320A asset_type: O365 Tenant mitre_attack_id: From a500515a33addfbad1aebd23061f5a6b22a35798 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 10:52:01 -0500 Subject: [PATCH 2/8] Add files via upload --- macros/o365_suspect_search_terms_regex.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 macros/o365_suspect_search_terms_regex.yml diff --git a/macros/o365_suspect_search_terms_regex.yml b/macros/o365_suspect_search_terms_regex.yml new file mode 100644 index 0000000000..b1dbd9fe3d --- /dev/null +++ b/macros/o365_suspect_search_terms_regex.yml @@ -0,0 +1,3 @@ +definition: "(?i)password|credential$|credentials$|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing" +description: A regex used with match statements preloaded with generic suspicious terms or phrases. Is used to detect malicious actor or insider threat searches, replace/modify these terms to suit your organization. +name: o365_suspect_search_terms_regex \ No newline at end of file From 6961c6ced2a58020ca74d5a96b5e0c443065fafb Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 11:43:30 -0500 Subject: [PATCH 3/8] Add files via upload --- .../o365_email_suspicious_search_behavior.yml | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 detections/cloud/o365_email_suspicious_search_behavior.yml diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml new file mode 100644 index 0000000000..5d67c47519 --- /dev/null +++ b/detections/cloud/o365_email_suspicious_search_behavior.yml @@ -0,0 +1,70 @@ +name: O365 Email Suspicious Search Behavior +id: 3b6e1d36-6916-4eec-a7d5-bc98953ba595 +version: 1 +date: '2025-02-27' +author: Steven Dick +status: production +type: Anamoly +description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation=SearchQueryInitiatedExchange + | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) + | where command != "*" AND command != "(*)" + | bin _time span=1hr + | `o365_email_suspicious_search_behavior_filter` + | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time + | where count > 20 OR suspect_terms_count >= 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must also enable SearchQueryInitiated category as part of your organizations mailbox audit logging policy. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: Users searching excessively or possible false positives related to matching conditions. +references: +- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events +- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://attack.mitre.org/techniques/T1114/002/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate search behavior by $user$ + search: '`o365_management_activity` AND Operation=SearchQueryInitiatedExchange AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ searched email suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Compromised User Account + - CISA AA22-320A + asset_type: O365 Tenant + mitre_attack_id: + - T1114.002 + - T1552 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file From 9ca556447582afc26cac9530425b9613b6d22133 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 12:05:57 -0500 Subject: [PATCH 4/8] Update o365_email_suspicious_search_behavior.yml --- detections/cloud/o365_email_suspicious_search_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml index 5d67c47519..f9ae1c57ab 100644 --- a/detections/cloud/o365_email_suspicious_search_behavior.yml +++ b/detections/cloud/o365_email_suspicious_search_behavior.yml @@ -67,4 +67,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 65c66a4270c1116ad0ab810c35965559ce96cb90 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 12:07:13 -0500 Subject: [PATCH 5/8] Update o365_sharepoint_suspicious_search_behavior.yml --- detections/cloud/o365_sharepoint_suspicious_search_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml index 8ab7ecfb4f..87ef5a4414 100644 --- a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml +++ b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml @@ -5,7 +5,7 @@ date: '2025-02-27' author: Steven Dick status: production type: Anomaly -description: The following analytic identifies when the O365 SharePoint users search for suspicious keywords or have an excessive number of queries within a limited timeframe. This behavior may indicate malicious actor enumeration of SharePoint based data within O365. +description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities. data_source: - Office 365 Universal Audit Log search: |- From 1e9a8c8f2017ad27ed2a84e0635dbb50526d81f0 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 27 Feb 2025 12:10:30 -0500 Subject: [PATCH 6/8] Update o365_email_suspicious_search_behavior.yml --- detections/cloud/o365_email_suspicious_search_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml index f9ae1c57ab..f94970bf6b 100644 --- a/detections/cloud/o365_email_suspicious_search_behavior.yml +++ b/detections/cloud/o365_email_suspicious_search_behavior.yml @@ -4,7 +4,7 @@ version: 1 date: '2025-02-27' author: Steven Dick status: production -type: Anamoly +type: Anomaly description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities. data_source: - Office 365 Universal Audit Log From 2445b44357cbe25cc501d3a303bfa349b5243ed3 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 12 Mar 2025 07:32:14 -0400 Subject: [PATCH 7/8] Update o365_suspect_search_terms_regex.yml removing regex using $ because ContentCTL is being dumb and thinks it's a variable. --- macros/o365_suspect_search_terms_regex.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/macros/o365_suspect_search_terms_regex.yml b/macros/o365_suspect_search_terms_regex.yml index b1dbd9fe3d..e5190a3cb3 100644 --- a/macros/o365_suspect_search_terms_regex.yml +++ b/macros/o365_suspect_search_terms_regex.yml @@ -1,3 +1,3 @@ -definition: "(?i)password|credential$|credentials$|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing" +definition: "(?i)password|credential|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing" description: A regex used with match statements preloaded with generic suspicious terms or phrases. Is used to detect malicious actor or insider threat searches, replace/modify these terms to suit your organization. -name: o365_suspect_search_terms_regex \ No newline at end of file +name: o365_suspect_search_terms_regex From 77dfe52b895e69d2cd0392e3e1eaa39b53cabf36 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 17 Mar 2025 16:44:09 -0700 Subject: [PATCH 8/8] Update macro --- macros/o365_suspect_search_terms_regex.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/o365_suspect_search_terms_regex.yml b/macros/o365_suspect_search_terms_regex.yml index e5190a3cb3..e78548955f 100644 --- a/macros/o365_suspect_search_terms_regex.yml +++ b/macros/o365_suspect_search_terms_regex.yml @@ -1,3 +1,3 @@ -definition: "(?i)password|credential|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing" +definition: "\"(?i)password|credential|login|passwd|shadow|active directory|account|username|network|computer|access|MFA|bank|deposit|payroll|EFT|Electonic Funds|routing\"" description: A regex used with match statements preloaded with generic suspicious terms or phrases. Is used to detect malicious actor or insider threat searches, replace/modify these terms to suit your organization. name: o365_suspect_search_terms_regex