This detection rule identifies when users perform search queries in Microsoft SharePoint that contain sensitive terms often associated with credentials, financial data, personally identifiable information (PII), legal matters, or infrastructure details. The presence of such sensitive terms in search queries could indicate potential reconnaissance activities by adversaries who have compromised user accounts. The rule utilizes data from the Microsoft 365 audit logs, specifically monitoring the 'SearchQueryText' field, and it detects queries that match a pre-defined list of sensitive keywords across various categories. The rule is designed to capture actions executed via different access methods including web browsers, PowerShell, or API calls, thereby providing a comprehensive detection capability for identifying unauthorized search activities.