Accessed files shared by temporary external user
| Id | bff058b2-500e-4ae5-bb49-a5b1423cbd5b |
| Rulename | Accessed files shared by temporary external user |
| Description | This detection identifies an external user is added to a Team or Teams chat and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity. |
| Severity | Low |
| Tactics | InitialAccess |
| Techniques | T1566 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml |
| Version | 2.0.0 |
| Arm template | bff058b2-500e-4ae5-bb49-a5b1423cbd5b.json |
let fileAccessThrehold = 10;
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "MemberAdded"
| extend UPN = tostring(parse_json(Members)[0].UPN)
| where UPN contains ("#EXT#")
| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
| join kind = inner(
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "MemberRemoved"
| extend UPN = tostring(parse_json(Members)[0].UPN)
| where UPN contains ("#EXT#")
| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
) on UPN
| where TimeDeleted > TimeAdded
| join kind=inner
(
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| where Operation == "FileUploaded"
| join kind = inner
(
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation == "FileAccessed"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| summarize FileAccessCount = count() by OfficeObjectId
| where FileAccessCount > fileAccessThrehold
) on $left.OfficeObjectId == $right.OfficeObjectId
)on $left.UPN == $right.UserId
| extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded
severity: Low
queryFrequency: 1h
relevantTechniques:
- T1566
tactics:
- InitialAccess
kind: Scheduled
query: |
let fileAccessThrehold = 10;
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "MemberAdded"
| extend UPN = tostring(parse_json(Members)[0].UPN)
| where UPN contains ("#EXT#")
| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
| join kind = inner(
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation =~ "MemberRemoved"
| extend UPN = tostring(parse_json(Members)[0].UPN)
| where UPN contains ("#EXT#")
| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
) on UPN
| where TimeDeleted > TimeAdded
| join kind=inner
(
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| where Operation == "FileUploaded"
| join kind = inner
(
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation == "FileAccessed"
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| summarize FileAccessCount = count() by OfficeObjectId
| where FileAccessCount > fileAccessThrehold
) on $left.OfficeObjectId == $right.OfficeObjectId
)on $left.UPN == $right.UserId
| extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml
queryPeriod: 1h
status: Available
version: 2.0.0
name: Accessed files shared by temporary external user
requiredDataConnectors:
- dataTypes:
- OfficeActivity (Teams)
connectorId: Office365
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b
description: |
'This detection identifies an external user is added to a Team or Teams chat
and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be
an indicator of suspicious activity.'
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Accessed files shared by temporary external user",
"description": "'This detection identifies an external user is added to a Team or Teams chat\nand shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be\nan indicator of suspicious activity.'\n",
"severity": "Low",
"enabled": true,
"query": "let fileAccessThrehold = 10;\nOfficeActivity\n | where OfficeWorkload =~ \"MicrosoftTeams\"\n | where Operation =~ \"MemberAdded\"\n | extend UPN = tostring(parse_json(Members)[0].UPN)\n | where UPN contains (\"#EXT#\")\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n | join kind = inner(\n OfficeActivity\n | where OfficeWorkload =~ \"MicrosoftTeams\"\n | where Operation =~ \"MemberRemoved\"\n | extend UPN = tostring(parse_json(Members)[0].UPN)\n | where UPN contains (\"#EXT#\")\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n ) on UPN\n | where TimeDeleted > TimeAdded\n | join kind=inner \n (\n OfficeActivity\n | where RecordType == \"SharePointFileOperation\"\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n | where Operation == \"FileUploaded\"\n | join kind = inner \n (\n OfficeActivity\n | where RecordType == \"SharePointFileOperation\"\n | where Operation == \"FileAccessed\"\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n | summarize FileAccessCount = count() by OfficeObjectId\n | where FileAccessCount > fileAccessThrehold\n ) on $left.OfficeObjectId == $right.OfficeObjectId\n )on $left.UPN == $right.UserId\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded \n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1566"
],
"alertRuleTemplateName": "bff058b2-500e-4ae5-bb49-a5b1423cbd5b",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
}
],
"templateVersion": "2.0.0",
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml"
}
}
]
}