From e22ae5e4892e24759cea71c68aa9a5a76eb175df Mon Sep 17 00:00:00 2001
From: terrancedejesus <terrance.dejesus@elastic.co>
Date: Mon, 23 Mar 2026 12:39:28 -0400
Subject: [PATCH] [Rule Tuning] M365 SharePoint/OneDrive File Access via
 PowerShell - Convert to new_terms Fixes #5872

---
 ...arepoint_file_download_via_powershell.toml | 26 +++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml
index f2e5eb1098f..89da65e6eac 100644
--- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml
+++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml
@@ -2,7 +2,7 @@
 creation_date = "2026/02/24"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2026/02/24"
+updated_date = "2026/03/23"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "new_terms"
 
 query = '''
 event.dataset: "o365.audit" and
@@ -114,3 +114,25 @@ id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.id",
+    "user_agent.original",
+    "event.action",
+    "event.provider",
+    "source.ip",
+    "source.geo.country_name",
+    "o365.audit.ApplicationId",
+    "o365.audit.SiteUrl",
+    "file.name",
+    "file.directory",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "user_agent.original"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+