M365 SharePoint Search for Sensitive Content

  1[metadata]
  2creation_date = "2026/02/24"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies search queries in SharePoint containing sensitive terms related to credentials, financial data,
 11PII, legal matters, or infrastructure information. Adversaries who compromise user accounts often search for high-value
 12files before exfiltration. This rule detects searches containing terms across multiple sensitivity categories,
 13regardless of the access method (browser, PowerShell, or API). The actual search query text is analyzed against a
 14curated list of sensitive terms to identify potential reconnaissance activity.
 15"""
 16false_positives = [
 17    "Security or compliance teams using eDiscovery or Content Search for legitimate investigations.",
 18    "HR or finance personnel legitimately searching for employee or financial records.",
 19    "IT administrators searching for configuration or infrastructure documentation.",
 20    "Legal teams searching for contract or privileged documents.",
 21]
 22from = "now-9m"
 23index = ["filebeat-*", "logs-o365.audit-*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "M365 SharePoint Search for Sensitive Content"
 27note = """## Triage and Analysis
 28
 29### Investigating M365 SharePoint Search for Sensitive Content
 30
 31This rule detects search queries in SharePoint or OneDrive that contain sensitive terms. The Microsoft 365 Unified Audit Log captures the actual search query text in the `SearchQueryText` field, allowing detection of reconnaissance activity targeting credentials, financial data, PII, legal documents, or infrastructure information.
 32
 33#### Possible Investigation Steps
 34
 35- Identify who performed the search and determine if this user has a legitimate business need to search for this type of content.
 36- Review the exact search terms used. Multiple sensitive terms in one query are more suspicious.
 37- Determine if the search was via browser, automation tool (PnP PowerShell), or API.
 38- Review the source IP and correlate with the user's typical access patterns.
 39- Look for subsequent file download or access events from the same user/session within minutes of the search.
 40- Determine if the user is a member of roles that would legitimately search for sensitive content (HR, Finance, Legal, Security, Compliance).
 41- Check Azure AD sign-in logs for authentication anomalies (device code flow, unusual location).
 42
 43### Response and Remediation
 44
 45- If unauthorized search activity is confirmed, immediately review what files were accessed or downloaded following the search.
 46- Revoke the user's session tokens and require reauthentication with MFA.
 47- If the account was compromised, reset credentials and investigate the compromise vector.
 48- Review Data Loss Prevention (DLP) policies to ensure sensitive content is properly protected.
 49- Consider implementing sensitivity labels and access restrictions on high-value content.
 50"""
 51references = ["https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"]
 52risk_score = 21
 53rule_id = "4f2654e4-125b-11f1-af7d-f661ea17fbce"
 54severity = "low"
 55tags = [
 56    "Domain: Cloud",
 57    "Domain: SaaS",
 58    "Data Source: Microsoft 365",
 59    "Data Source: Microsoft 365 Audit Logs",
 60    "Use Case: Threat Detection",
 61    "Tactic: Discovery",
 62    "Tactic: Collection",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69web where event.dataset == "o365.audit" and
 70    event.provider == "SharePoint" and
 71    event.action == "SearchQueryPerformed" and
 72    event.outcome == "success" and
 73    o365.audit.SearchQueryText != null and
 74    o365.audit.SearchQueryText != "" and
 75    o365.audit.SearchQueryText like~ (
 76        /* Credentials and Secrets */
 77        "*password*", "*credential*", "*secret*", "*api key*", "*apikey*",
 78        "*token*", "*private key*", "*certificate*", "*ssh*", "*aws*",
 79        "*azure*", "*gcp*", "*oauth*", "*bearer*", "*connection string*",
 80        "*access key*", "*secret key*",
 81        /* Financial */
 82        "*salary*", "*payroll*", "*compensation*", "*budget*", "*revenue*",
 83        "*financial*", "*banking*", "*invoice*", "*wire transfer*", "*account number*",
 84        "*credit card*", "*routing number*", "*profit*", "*expense*", "*1099*",
 85        /* Legal and Compliance */
 86        "*confidential*", "*privileged*", "*attorney*", "*legal hold*", "*settlement*",
 87        "*contract*", "*nda*", "*merger*", "*acquisition*", "*litigation*",
 88        "*subpoena*", "*trade secret*", "*intellectual property*", "*proprietary*",
 89        "*internal*", "*proposal*", "*poc*",
 90        /* HR and PII */
 91        "*ssn*", "*social security*", "*employee*", "*personnel*", "*performance review*",
 92        "*termination*", "*tax*", "*w2*", "*benefits*", "*background check*",
 93        "*medical*", "*hipaa*", "*passport*", "*driver license*", "*dob*",
 94        /* Infrastructure and IT */
 95        "*admin*", "*root*", "*vpn*", "*firewall*", "*network diagram*",
 96        "*architecture*", "*topology*", "*production*", "*database*", "*config*",
 97        "*backup*", "*disaster recovery*", "*vulnerability*", "*pentest*", "*security audit*",
 98        "*salesforce*"
 99    )
100'''
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1619"
106name = "Cloud Storage Object Discovery"
107reference = "https://attack.mitre.org/techniques/T1619/"
108
109[rule.threat.tactic]
110id = "TA0007"
111name = "Discovery"
112reference = "https://attack.mitre.org/tactics/TA0007/"
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1213"
118name = "Data from Information Repositories"
119reference = "https://attack.mitre.org/techniques/T1213/"
120[[rule.threat.technique.subtechnique]]
121id = "T1213.002"
122name = "Sharepoint"
123reference = "https://attack.mitre.org/techniques/T1213/002/"
124
125[[rule.threat.technique]]
126id = "T1530"
127name = "Data from Cloud Storage"
128reference = "https://attack.mitre.org/techniques/T1530/"
129
130
131[rule.threat.tactic]
132id = "TA0009"
133name = "Collection"
134reference = "https://attack.mitre.org/tactics/TA0009/"