Office365 Sharepoint File transfer above threshold
| Id | 8b4f03e7-3460-4401-824d-e65a8dd464f0 |
| Rulename | Office365 Sharepoint File transfer above threshold |
| Description | Identifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur. |
| Severity | Medium |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml |
| Version | 1.0.6 |
| Arm template | 8b4f03e7-3460-4401-824d-e65a8dd464f0.json |
let threshold = 5000;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
| where count_distinct_OfficeObjectId >= threshold
| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml
queryPeriod: 15m
description: |
'Identifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period.
Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'
triggerThreshold: 0
name: Office365 Sharepoint File transfer above threshold
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileSample
kind: Scheduled
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
customDetails:
TransferCount: count_distinct_OfficeObjectId
FilesList: fileslist
queryFrequency: 15m
tactics:
- Exfiltration
id: 8b4f03e7-3460-4401-824d-e65a8dd464f0
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
matchingMethod: Selected
enabled: true
groupByCustomDetails: []
groupByEntities:
- Account
reopenClosedIncident: false
groupByAlertDetails: []
version: 1.0.6
query: |
let threshold = 5000;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
| where count_distinct_OfficeObjectId >= threshold
| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
severity: Medium
relevantTechniques:
- T1020