// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
UserId,
ClientIP,
FileDownloadCount,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
queryPeriod: 14d
query: |
// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
UserId,
ClientIP,
FileDownloadCount,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
version: 3.2.0
name: Dataverse - Mass download from SharePoint document management
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: ClientIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
entityType: CloudApplication
- fieldMappings:
- columnName: SharePointId
identifier: AppId
- columnName: SharePointUrl
identifier: InstanceName
entityType: CloudApplication
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Mass download detected from document management in {{{InstanceUrl}} '
alertDescriptionFormat: '{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}} by {{{UserId}}.'
description: Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.
kind: Scheduled
status: Available
severity: Low
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
id: 95e02f1b-5886-4043-8f0e-a42e6e23330f
relevantTechniques:
- T1567
