Skip to content

Commit

Permalink
Update o365_sharepoint_suspicious_search_behavior.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@nterl0k
nterl0k authored Jan 15, 2025
1 parent 0adf977 commit fb41db9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion detections/cloud/o365_sharepoint_suspicious_search_behavior.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: Investigate search behavior by $user$
search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = $user|s$'
search: '`o365_management_activity` Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
Expand Down

0 comments on commit fb41db9

Please sign in to comment.