id: dfd91afc-66f0-4661-90d7-82f9b5bf3d8f name: Trend Micro CAS - Suspicious files on sharepoint description: | 'Query searches for suspicious files on sharepoint.' severity: Medium requiredDataConnectors: - connectorId: TrendMicroCAS dataTypes: - TrendMicroCAS tactics: - InitialAccess relevantTechniques: - T1566 query: | TrendMicroCAS | where TimeGenerated > ago(24h) | where EventCategoryType =~ 'sharepoint' | where EventOriginalResultDetails =~ 'Quarantine' | project DetectionTime, DstUserName, SrcFileName, SrcFileSHA1, SrcFileSHA256, SecurityRiskName | extend AccountCustomEntity = DstUserName entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity