O365 Compliance Content Search Started

Original Source: [splunk source]
Name:O365 Compliance Content Search Started
id:f4cabbc7-c19a-4e41-8be5-98daeaccbb50
version:4
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic detects when a content search is initiated within the Office 365 Security and Compliance Center. It leverages the SearchCreated operation from the o365_management_activity logs under the SecurityComplianceCenter workload. This activity is significant as it may indicate an attempt to access sensitive organizational data, including emails and documents. If confirmed malicious, this could lead to unauthorized data access, potential data exfiltration, and compliance violations. Monitoring this behavior helps ensure the integrity and security of organizational data.
Data_source:
search:`o365_management_activity` Workload=SecurityComplianceCenter Operation=SearchCreated
| rename user_id as user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`
| `o365_compliance_content_search_started_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:Compliance content searches may be executed for legitimate purposes, filter as needed.
References:
  -https://attack.mitre.org/techniques/T1114/002/
   -https://learn.microsoft.com/en-us/purview/ediscovery-content-search-overview
   -https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions
   -https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log
 drilldown_searches:
name:'View the detection results for - "$user$"'
search:'%original_detection_search% | search user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Collection Techniques'
  asset_type:O365 Tenant
  confidence:70
  impact:60
  message:A new compliance content search was started by $user$
  mitre_attack_id:
    - 'T1114'
    - 'T1114.002'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Workload'
    - 'Operation'
    - 'ObjectId'
    - 'ExchangeLocations'
    - 'Query'
    - 'user_id'
  risk_score:42
  security_domain:audit

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log
  sourcetype: o365:management:activity
  source: o365
manual_test:None

Related Analytic Stories


Office 365 Collection Techniques

© 2024 DetectionCode Website. All Rights Reserved.