Office365 Sharepoint File transfer Folders above threshold

let threshold = 500;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m)
| where count_distinct_SourceRelativeUrl >= threshold
| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

description: |
  'Identifies Office365 Sharepoint File Transfers with distinct folder count above certain threshold in a 15min time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'  
kind: Scheduled
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    groupByEntities:
    - Account
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: Selected
    groupByCustomDetails: []
    groupByAlertDetails: []
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml
severity: Medium
name: Office365 Sharepoint File transfer Folders above threshold
customDetails:
  FilesList: dirlist
  TransferCount: count_distinct_SourceRelativeUrl
triggerThreshold: 0
queryPeriod: 15m
query: |
  let threshold = 500;
  OfficeActivity
  | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
  | summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m)
  | where count_distinct_SourceRelativeUrl >= threshold
  | extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])  
relevantTechniques:
- T1020
id: 8a547285-801c-4290-aa2e-5e7e20ca157d
queryFrequency: 15m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserId
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
- entityType: File
  fieldMappings:
  - columnName: DirSample
    identifier: Name
triggerOperator: gt
version: 1.0.6