Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Office365 Sharepoint File transfer above threshold

Office365 Sharepoint File transfer above threshold

Back
Id8b4f03e7-3460-4401-824d-e65a8dd464f0
RulenameOffice365 Sharepoint File transfer above threshold
DescriptionIdentifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period.

Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
SeverityMedium
TacticsExfiltration
TechniquesT1020
Required data connectorsOffice365
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml
Version1.0.6
Arm template8b4f03e7-3460-4401-824d-e65a8dd464f0.json
Deploy To Azure
let threshold = 5000;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
| where count_distinct_OfficeObjectId >= threshold
| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

relevantTechniques:
- T1020
entityMappings:
- fieldMappings:
  - columnName: UserId
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ClientIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: FileSample
    identifier: Name
  entityType: File
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    groupByEntities:
    - Account
    lookbackDuration: PT5H
    groupByAlertDetails: []
  createIncident: true
triggerThreshold: 0
description: |
  'Identifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'  
customDetails:
  FilesList: fileslist
  TransferCount: count_distinct_OfficeObjectId
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
triggerOperator: gt
version: 1.0.6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml
id: 8b4f03e7-3460-4401-824d-e65a8dd464f0
queryFrequency: 15m
query: |
  let threshold = 5000;
  OfficeActivity
  | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
  | summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
  | where count_distinct_OfficeObjectId >= threshold
  | extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])  
severity: Medium
queryPeriod: 15m
name: Office365 Sharepoint File transfer above threshold
tactics:
- Exfiltration
kind: Scheduled