Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Accessed files shared by temporary external user

Back
Idbff058b2-500e-4ae5-bb49-a5b1423cbd5b
RulenameAccessed files shared by temporary external user
DescriptionThis detection identifies an external user is added to a Team or Teams chat

and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be

an indicator of suspicious activity.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml
Version2.0.0
Arm templatebff058b2-500e-4ae5-bb49-a5b1423cbd5b.json
Deploy To Azure
let fileAccessThrehold = 10;
OfficeActivity
 | where OfficeWorkload =~ "MicrosoftTeams"
 | where Operation =~ "MemberAdded"
 | extend UPN = tostring(parse_json(Members)[0].UPN)
 | where UPN contains ("#EXT#")
 | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
 | join kind = inner(
                       OfficeActivity
                       | where OfficeWorkload =~ "MicrosoftTeams"
                       | where Operation =~ "MemberRemoved"
                       | extend UPN = tostring(parse_json(Members)[0].UPN)
                       | where UPN contains ("#EXT#")
                       | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
                     ) on UPN
 | where TimeDeleted > TimeAdded
 | join kind=inner 
                   (
                   OfficeActivity
                   | where RecordType == "SharePointFileOperation"
                   | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                   | where Operation == "FileUploaded"
                   | join kind = inner 
                                       (
                                       OfficeActivity
                                       | where RecordType == "SharePointFileOperation"
                                       | where Operation  == "FileAccessed"
                                       | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                                       | summarize FileAccessCount = count() by OfficeObjectId
                                       | where FileAccessCount > fileAccessThrehold
                                       ) on $left.OfficeObjectId == $right.OfficeObjectId
                   )on $left.UPN == $right.UserId
 | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded 
severity: Low
queryFrequency: 1h
relevantTechniques:
- T1566
tactics:
- InitialAccess
kind: Scheduled
query: |
  let fileAccessThrehold = 10;
  OfficeActivity
   | where OfficeWorkload =~ "MicrosoftTeams"
   | where Operation =~ "MemberAdded"
   | extend UPN = tostring(parse_json(Members)[0].UPN)
   | where UPN contains ("#EXT#")
   | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
   | join kind = inner(
                         OfficeActivity
                         | where OfficeWorkload =~ "MicrosoftTeams"
                         | where Operation =~ "MemberRemoved"
                         | extend UPN = tostring(parse_json(Members)[0].UPN)
                         | where UPN contains ("#EXT#")
                         | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
                       ) on UPN
   | where TimeDeleted > TimeAdded
   | join kind=inner 
                     (
                     OfficeActivity
                     | where RecordType == "SharePointFileOperation"
                     | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                     | where Operation == "FileUploaded"
                     | join kind = inner 
                                         (
                                         OfficeActivity
                                         | where RecordType == "SharePointFileOperation"
                                         | where Operation  == "FileAccessed"
                                         | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                                         | summarize FileAccessCount = count() by OfficeObjectId
                                         | where FileAccessCount > fileAccessThrehold
                                         ) on $left.OfficeObjectId == $right.OfficeObjectId
                     )on $left.UPN == $right.UserId
   | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded   
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml
queryPeriod: 1h
status: Available
version: 2.0.0
name: Accessed files shared by temporary external user
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (Teams)
  connectorId: Office365
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b
description: |
  'This detection identifies an external user is added to a Team or Teams chat
  and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be
  an indicator of suspicious activity.'  
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Accessed files shared by temporary external user",
        "description": "'This detection identifies an external user is added to a Team or Teams chat\nand shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be\nan indicator of suspicious activity.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let fileAccessThrehold = 10;\nOfficeActivity\n | where OfficeWorkload =~ \"MicrosoftTeams\"\n | where Operation =~ \"MemberAdded\"\n | extend UPN = tostring(parse_json(Members)[0].UPN)\n | where UPN contains (\"#EXT#\")\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n | join kind = inner(\n                       OfficeActivity\n                       | where OfficeWorkload =~ \"MicrosoftTeams\"\n                       | where Operation =~ \"MemberRemoved\"\n                       | extend UPN = tostring(parse_json(Members)[0].UPN)\n                       | where UPN contains (\"#EXT#\")\n                       | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n                     ) on UPN\n | where TimeDeleted > TimeAdded\n | join kind=inner \n                   (\n                   OfficeActivity\n                   | where RecordType == \"SharePointFileOperation\"\n                   | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n                   | where Operation == \"FileUploaded\"\n                   | join kind = inner \n                                       (\n                                       OfficeActivity\n                                       | where RecordType == \"SharePointFileOperation\"\n                                       | where Operation  == \"FileAccessed\"\n                                       | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n                                       | summarize FileAccessCount = count() by OfficeObjectId\n                                       | where FileAccessCount > fileAccessThrehold\n                                       ) on $left.OfficeObjectId == $right.OfficeObjectId\n                   )on $left.UPN == $right.UserId\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "bff058b2-500e-4ae5-bb49-a5b1423cbd5b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "2.0.0",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml"
      }
    }
  ]
}