Office365 Sharepoint File transfer Folders above threshold

let threshold = 500;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m)
| where count_distinct_SourceRelativeUrl >= threshold
| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

name: Office365 Sharepoint File transfer Folders above threshold
relevantTechniques:
- T1020
id: 8a547285-801c-4290-aa2e-5e7e20ca157d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (SharePoint)
  connectorId: Office365
version: 1.0.6
severity: Medium
triggerThreshold: 0
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserId
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIP
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: DirSample
  entityType: File
kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    groupByAlertDetails: []
    lookbackDuration: PT5H
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities:
    - Account
    matchingMethod: Selected
    enabled: true
  createIncident: true
queryFrequency: 15m
query: |
  let threshold = 500;
  OfficeActivity
  | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
  | summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m)
  | where count_distinct_SourceRelativeUrl >= threshold
  | extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])  
tactics:
- Exfiltration
customDetails:
  FilesList: dirlist
  TransferCount: count_distinct_SourceRelativeUrl
description: |
  'Identifies Office365 Sharepoint File Transfers with distinct folder count above certain threshold in a 15min time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'  
triggerOperator: gt