Detect Data from Information Repositories in Splunk
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion. Targets include SharePoint, Confluence, code repositories, CRM systems, databases, and messaging platforms such as Slack and Microsoft Teams. Adversaries may harvest credentials, network diagrams, system architecture documentation, PII, or source code from these repositories. Cloud-native services (AWS RDS, ElasticSearch, Redis) may also be improperly secured, enabling unauthenticated access to sensitive data stores.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Canonical reference
- https://attack.mitre.org/techniques/T1213/
SPL Detection Query
| tstats count as OperationCount, dc(Office365.ObjectId) as UniqueFiles, values(Office365.Operation) as Operations, values(Office365.ClientIP) as SourceIPs
from datamodel=Office365 where (Office365.Workload="SharePoint" OR Office365.Workload="OneDrive")
AND (Office365.Operation="FileDownloaded" OR Office365.Operation="FileSyncDownloadedFull" OR Office365.Operation="FileAccessed" OR Office365.Operation="FilePreviewed")
by Office365.UserId _time span=1h
| rename Office365.UserId as UserId
| where OperationCount >= 50
| eval RiskLevel=case(OperationCount >= 500, "Critical", OperationCount >= 200, "High", OperationCount >= 50, "Medium", true(), "Low")
| eval DetectionBranch="BulkFileAccess"
| table _time, UserId, OperationCount, UniqueFiles, Operations, SourceIPs, RiskLevel, DetectionBranch
`comment("--- Branch 2: Sensitive keyword searches ---")`
| search index=o365 sourcetype="o365:management:activity"
(Workload="SharePoint" OR Workload="OneDrive")
Operation="SearchQueryPerformed"
(SearchQuery="*password*" OR SearchQuery="*credential*" OR SearchQuery="*vpn*"
OR SearchQuery="*api key*" OR SearchQuery="*secret*" OR SearchQuery="*private key*"
OR SearchQuery="*connection string*" OR SearchQuery="*network diagram*"
OR SearchQuery="*architecture*" OR SearchQuery="*payroll*" OR SearchQuery="*salary*")
| stats count as SearchCount, dc(SearchQuery) as UniqueQueries, values(SearchQuery) as QuerySamples, values(ClientIP) as SourceIPs by UserId
| where SearchCount >= 3
| eval RiskLevel="High", DetectionBranch="SensitiveKeywordSearch"
| table UserId, SearchCount, UniqueQueries, QuerySamples, SourceIPs, RiskLevel, DetectionBranch
`comment("Note: Combine both result sets in production using append or union. Branch 2 uses raw search due to SearchQuery field not being in default O365 datamodel.")`Detects bulk file access and sensitive keyword searches in SharePoint and OneDrive using the Splunk O365 data model and raw o365:management:activity sourcetype. Branch 1 uses tstats against the O365 accelerated data model for high-performance bulk access detection (threshold: 50+ file operations per hour). Branch 2 uses raw search against o365:management:activity to detect searches for sensitive keywords including passwords, credentials, API keys, and network documentation. Both branches include risk scoring to help analysts prioritize alerts. Requires the Splunk Add-on for Microsoft Office 365 and accelerated O365 data model.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Migration projects using ShareGate, AvePoint, or similar tools that perform bulk file reads during tenant-to-tenant migrations
- Backup and archival solutions that index or download SharePoint content on a schedule
- eDiscovery tools performing legal hold searches that match sensitive keywords across document libraries
- Security compliance scanners (Varonis, Nightfall, Purview) that crawl SharePoint searching for sensitive data patterns
- IT administrators using SharePoint REST API or PnP PowerShell for legitimate content management tasks
Other platforms for T1213
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk SharePoint Document Download via PnP PowerShell
Expected signal: OfficeActivity events: Operation=FileDownloaded for each downloaded file, Workload=SharePoint, UserId=authenticated user UPN, ClientIP=executing machine IP. Azure AD SigninLogs: interactive authentication event for the SharePoint OAuth flow. Sysmon Event ID 1: Process Create for powershell.exe with PnP module loading.
- Test 2SharePoint Sensitive Keyword Search via REST API
Expected signal: OfficeActivity events: Operation=SearchQueryPerformed for each API search call, with SearchQuery field containing the sensitive keyword, Workload=SharePoint, UserId=authenticated user. Multiple events in quick succession for each term searched.
- Test 3Confluence REST API Page Enumeration and Export
Expected signal: Confluence access logs (atlassian-confluence.log): GET requests to /wiki/rest/api/space and /wiki/rest/api/search endpoints with user authentication. If Confluence audit logging is enabled: search events appear in Administration > Audit Log. Network proxy logs: HTTP requests to the Confluence FQDN with search query parameters visible in URL.
- Test 4Microsoft Teams Message Export via Graph API
Expected signal: OfficeActivity events: Operation=MessageRead or similar Teams audit events, Workload=MicrosoftTeams. Azure AD SigninLogs: token acquisition for Graph API with Teams scopes. AuditLogs: Microsoft Graph API calls for Team and ChannelMessage read operations. Microsoft Defender for Cloud Apps: Graph API activity anomaly if CASB is configured.
References (10)
- https://attack.mitre.org/techniques/T1213/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide
- https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://learn.microsoft.com/en-us/graph/teams-list-all-teams
- https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
- https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213/T1213.md
- https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
Unlock Pro Content
Get the full detection package for T1213 including response playbook, investigation guide, and atomic red team tests.