Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Office365 Sharepoint File transfer above threshold

Office365 Sharepoint File transfer above threshold

Back
Id8b4f03e7-3460-4401-824d-e65a8dd464f0
RulenameOffice365 Sharepoint File transfer above threshold
DescriptionIdentifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period.

Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
SeverityMedium
TacticsExfiltration
TechniquesT1020
Required data connectorsOffice365
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml
Version1.0.6
Arm template8b4f03e7-3460-4401-824d-e65a8dd464f0.json
Deploy To Azure
let threshold = 5000;
OfficeActivity
| where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
| where count_distinct_OfficeObjectId >= threshold
| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

queryPeriod: 15m
relevantTechniques:
- T1020
version: 1.0.6
query: |
  let threshold = 5000;
  OfficeActivity
  | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
  | summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m)
  | where count_distinct_OfficeObjectId >= threshold
  | extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])  
tactics:
- Exfiltration
queryFrequency: 15m
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml
id: 8b4f03e7-3460-4401-824d-e65a8dd464f0
incidentConfiguration:
  groupingConfiguration:
    groupByAlertDetails: []
    enabled: true
    lookbackDuration: PT5H
    groupByEntities:
    - Account
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByCustomDetails: []
  createIncident: true
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserId
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileSample
triggerThreshold: 0
customDetails:
  TransferCount: count_distinct_OfficeObjectId
  FilesList: fileslist
kind: Scheduled
name: Office365 Sharepoint File transfer above threshold
severity: Medium
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (SharePoint)
  connectorId: Office365
description: |
  'Identifies Office365 Sharepoint File Transfers above certain threshold in a 15min time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.'