// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
UserId,
ClientIP,
FileDownloadCount,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
queryPeriod: 14d
description: Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.
triggerThreshold: 0
name: Dataverse - Mass download from SharePoint document management
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: SharePointId
- identifier: InstanceName
columnName: SharePointUrl
kind: Scheduled
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1h
tactics:
- Exfiltration
id: 95e02f1b-5886-4043-8f0e-a42e6e23330f
status: Available
version: 3.2.0
query: |
// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
UserId,
ClientIP,
FileDownloadCount,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
alertDetailsOverride:
alertDescriptionFormat: '{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}} by {{{UserId}}.'
alertDisplayNameFormat: 'Dataverse - Mass download detected from document management in {{{InstanceUrl}} '
severity: Low
relevantTechniques:
- T1567
