Programmatic or excessive access to file shares, SharePoint, or database repositories by users not typically interacting with them. This includes abnormal access by privileged accounts, enumeration of large numbers of files, or downloads of sensitive content in bursts.
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| Cloud Storage Access (DC0025) | m365:unified | Accessed SharePoint files or pages |
| Field | Description |
|---|---|
| UserContext | Privileged users may be excluded if they routinely perform admin actions on SharePoint or file shares. |
| AccessVolumeThreshold | The number of files accessed or pages retrieved in a short window to flag as abnormal. |
| TimeWindow | The time range (e.g., 5 minutes, 1 hour) in which burst access patterns are considered anomalous. |
Command-line tools (e.g., curl, rsync, wget, or custom Python scripts) used to scrape documentation systems or internal REST APIs. Unusual access patterns to knowledge base folders or shared team drives.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve of curl, rsync, wget with internal knowledge base or IPs |
| Network Connection Creation (DC0082) | linux:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| CommandRegex | Regex matching internal doc servers, knowledge base paths, or IP patterns. |
| TimeWindow | Burst access of repositories over a short time window. |
Abuse of SaaS platforms such as Confluence, GitHub, SharePoint Online, or Slack to access excessive internal documentation or export source code/data. Includes use of tokens or browser automation from unapproved IPs.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:confluence | access.content |
| Cloud Service Modification (DC0069) | saas:slack | Exported file or accessed admin API |
| Field | Description |
|---|---|
| APIUsageThreshold | Number of API calls or files accessed before triggering detection. |
| KnownSafeIPs | Whitelist of internal IPs/users that may be excluded from detection. |
Access of mounted cloud shares or document repositories via browser, terminal, or Finder by users not typically interacting with those resources. Includes script-based enumeration or mass download.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:unifiedlog | access to /Volumes/SharePoint or network mount |
| Process Creation (DC0032) | macos:osquery | curl, python scripts, rsync with internal share URLs |
| Field | Description |
|---|---|
| AccessedMountPath | Paths to sensitive volumes may differ based on org setup. |
| UserGroup | Expected user groups that typically access shared data. |