[Rule Tuning] M365 SharePoint/OneDrive File Access via PowerShell - Convert to new_terms (#5873)

Fixes #5872

rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/24"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2026/02/24"
+updated_date = "2026/03/23"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "new_terms"
 
 query = '''
 event.dataset: "o365.audit" and
@@ -114,3 +114,25 @@ id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.id",
+    "user_agent.original",
+    "event.action",
+    "event.provider",
+    "source.ip",
+    "source.geo.country_name",
+    "o365.audit.ApplicationId",
+    "o365.audit.SiteUrl",
+    "file.name",
+    "file.directory",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "user_agent.original"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+