Dataverse - Mass download from SharePoint document management

// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
    OfficeActivity
    | where TimeGenerated >= ago(query_frequency)
    | where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
    on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
    CloudAppId = int(32780),
    SharePointId = int(20892),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    UserId,
    ClientIP,
    FileDownloadCount,
    SharePointUrl,
    InstanceUrl,
    CloudAppId,
    SharePointId,
    AccountName,
    UPNSuffix

kind: Scheduled
status: Available
triggerOperator: gt
version: 3.2.0
tactics:
- Exfiltration
queryPeriod: 14d
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Mass download detected from document management in {{{InstanceUrl}} '
  alertDescriptionFormat: '{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}}  by {{{UserId}}.'
queryFrequency: 1h
id: 95e02f1b-5886-4043-8f0e-a42e6e23330f
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1567
description: Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
- entityType: CloudApplication
  fieldMappings:
  - columnName: SharePointId
    identifier: AppId
  - columnName: SharePointUrl
    identifier: InstanceName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
triggerThreshold: 0
name: Dataverse - Mass download from SharePoint document management
severity: Low
query: |
  // Set threshold for number of downloaded files
  let detection_threshold = 10000;
  let query_frequency = 1h;
  DataverseSharePointSites
  | join kind=inner (
      OfficeActivity
      | where TimeGenerated >= ago(query_frequency)
      | where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
      on $left.SharePointUrl == $right.Site_Url
  | summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
  | where FileDownloadCount > detection_threshold
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      UserId,
      ClientIP,
      FileDownloadCount,
      SharePointUrl,
      InstanceUrl,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix