Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Box - Item shared to external entity

Back
Id3b803560-f8a6-4db4-89cb-617d89724ba1
RulenameBox - Item shared to external entity
DescriptionDetects when an item was shared to external entity.
SeverityMedium
TacticsExfiltration
TechniquesT1537
Required data connectorsBoxDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxItemSharedToExternalUser.yaml
Version1.0.0
Arm template3b803560-f8a6-4db4-89cb-617d89724ba1.json
Deploy To Azure
BoxEvents
| where EventType =~ 'COLLABORATION_INVITE'
| extend corp_domain = tolower(extract(@'@(.*)', 1, SrcUserUpn))
| extend accessibleby_domain = tolower(extract(@'@(.*)', 1, AccessibleByLogin))
| where corp_domain != accessibleby_domain
| extend AccountCustomEntity = SrcUserUpn
version: 1.0.0
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - BoxEvents_CL
  connectorId: BoxDataConnector
name: Box - Item shared to external entity
triggerOperator: gt
id: 3b803560-f8a6-4db4-89cb-617d89724ba1
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxItemSharedToExternalUser.yaml
description: |
    'Detects when an item was shared to external entity.'
queryPeriod: 1h
query: |
  BoxEvents
  | where EventType =~ 'COLLABORATION_INVITE'
  | extend corp_domain = tolower(extract(@'@(.*)', 1, SrcUserUpn))
  | extend accessibleby_domain = tolower(extract(@'@(.*)', 1, AccessibleByLogin))
  | where corp_domain != accessibleby_domain
  | extend AccountCustomEntity = SrcUserUpn  
relevantTechniques:
- T1537
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
triggerThreshold: 0
kind: Scheduled
tactics:
- Exfiltration
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3b803560-f8a6-4db4-89cb-617d89724ba1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3b803560-f8a6-4db4-89cb-617d89724ba1')]",
      "properties": {
        "alertRuleTemplateName": "3b803560-f8a6-4db4-89cb-617d89724ba1",
        "customDetails": null,
        "description": "'Detects when an item was shared to external entity.'\n",
        "displayName": "Box - Item shared to external entity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxItemSharedToExternalUser.yaml",
        "query": "BoxEvents\n| where EventType =~ 'COLLABORATION_INVITE'\n| extend corp_domain = tolower(extract(@'@(.*)', 1, SrcUserUpn))\n| extend accessibleby_domain = tolower(extract(@'@(.*)', 1, AccessibleByLogin))\n| where corp_domain != accessibleby_domain\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1537"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}