From 4ca537cde969cf67b597ba7b7b8b5c1ac9ca3166 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 8 Jan 2025 14:56:08 -0500 Subject: [PATCH] initial upload --- .../o365_sus_sharepoint_search.log | 3 +++ .../o365_sus_sharepoint_search.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log create mode 100644 datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log new file mode 100644 index 00000000..da16487b --- /dev/null +++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c0edf045b5e5ed56ce67dd3ecd98c2fbfe7b346f8926318c76f268cf87890a1e +size 29506 diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml new file mode 100644 index 00000000..56570fac --- /dev/null +++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml @@ -0,0 +1,12 @@ +author: Steven Dick +id: 722e396e-9e74-4516-882d-0fc94f5d2b33 +date: '2024-12-19' +description: 'Sample of events when Sharepoint is searched for a sensitive term / or high rate of searching.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log +sourcetypes: +- o365:management:activity +references: +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://attack.mitre.org/techniques/T1213/002/ \ No newline at end of file