Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Accessed files shared by temporary external user

Back
Idbff058b2-500e-4ae5-bb49-a5b1423cbd5b
RulenameAccessed files shared by temporary external user
DescriptionThis detection identifies an external user is added to a Team or Teams chat

and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be

an indicator of suspicious activity.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml
Version2.0.0
Arm templatebff058b2-500e-4ae5-bb49-a5b1423cbd5b.json
Deploy To Azure
let fileAccessThrehold = 10;
OfficeActivity
 | where OfficeWorkload =~ "MicrosoftTeams"
 | where Operation =~ "MemberAdded"
 | extend UPN = tostring(parse_json(Members)[0].UPN)
 | where UPN contains ("#EXT#")
 | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
 | join kind = inner(
                       OfficeActivity
                       | where OfficeWorkload =~ "MicrosoftTeams"
                       | where Operation =~ "MemberRemoved"
                       | extend UPN = tostring(parse_json(Members)[0].UPN)
                       | where UPN contains ("#EXT#")
                       | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
                     ) on UPN
 | where TimeDeleted > TimeAdded
 | join kind=inner 
                   (
                   OfficeActivity
                   | where RecordType == "SharePointFileOperation"
                   | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                   | where Operation == "FileUploaded"
                   | join kind = inner 
                                       (
                                       OfficeActivity
                                       | where RecordType == "SharePointFileOperation"
                                       | where Operation  == "FileAccessed"
                                       | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                                       | summarize FileAccessCount = count() by OfficeObjectId
                                       | where FileAccessCount > fileAccessThrehold
                                       ) on $left.OfficeObjectId == $right.OfficeObjectId
                   )on $left.UPN == $right.UserId
 | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded 
name: Accessed files shared by temporary external user
query: |
  let fileAccessThrehold = 10;
  OfficeActivity
   | where OfficeWorkload =~ "MicrosoftTeams"
   | where Operation =~ "MemberAdded"
   | extend UPN = tostring(parse_json(Members)[0].UPN)
   | where UPN contains ("#EXT#")
   | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
   | join kind = inner(
                         OfficeActivity
                         | where OfficeWorkload =~ "MicrosoftTeams"
                         | where Operation =~ "MemberRemoved"
                         | extend UPN = tostring(parse_json(Members)[0].UPN)
                         | where UPN contains ("#EXT#")
                         | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
                       ) on UPN
   | where TimeDeleted > TimeAdded
   | join kind=inner 
                     (
                     OfficeActivity
                     | where RecordType == "SharePointFileOperation"
                     | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                     | where Operation == "FileUploaded"
                     | join kind = inner 
                                         (
                                         OfficeActivity
                                         | where RecordType == "SharePointFileOperation"
                                         | where Operation  == "FileAccessed"
                                         | where SourceRelativeUrl has "Microsoft Teams Chat Files"
                                         | summarize FileAccessCount = count() by OfficeObjectId
                                         | where FileAccessCount > fileAccessThrehold
                                         ) on $left.OfficeObjectId == $right.OfficeObjectId
                     )on $left.UPN == $right.UserId
   | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded   
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (Teams)
  connectorId: Office365
version: 2.0.0
status: Available
queryPeriod: 1h
id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1566
severity: Low
description: |
  'This detection identifies an external user is added to a Team or Teams chat
  and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be
  an indicator of suspicious activity.'  
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Accessed files shared by temporary external user",
        "description": "'This detection identifies an external user is added to a Team or Teams chat\nand shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be\nan indicator of suspicious activity.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let fileAccessThrehold = 10;\nOfficeActivity\n | where OfficeWorkload =~ \"MicrosoftTeams\"\n | where Operation =~ \"MemberAdded\"\n | extend UPN = tostring(parse_json(Members)[0].UPN)\n | where UPN contains (\"#EXT#\")\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n | join kind = inner(\n                       OfficeActivity\n                       | where OfficeWorkload =~ \"MicrosoftTeams\"\n                       | where Operation =~ \"MemberRemoved\"\n                       | extend UPN = tostring(parse_json(Members)[0].UPN)\n                       | where UPN contains (\"#EXT#\")\n                       | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n                     ) on UPN\n | where TimeDeleted > TimeAdded\n | join kind=inner \n                   (\n                   OfficeActivity\n                   | where RecordType == \"SharePointFileOperation\"\n                   | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n                   | where Operation == \"FileUploaded\"\n                   | join kind = inner \n                                       (\n                                       OfficeActivity\n                                       | where RecordType == \"SharePointFileOperation\"\n                                       | where Operation  == \"FileAccessed\"\n                                       | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n                                       | summarize FileAccessCount = count() by OfficeObjectId\n                                       | where FileAccessCount > fileAccessThrehold\n                                       ) on $left.OfficeObjectId == $right.OfficeObjectId\n                   )on $left.UPN == $right.UserId\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded \n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "bff058b2-500e-4ae5-bb49-a5b1423cbd5b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "2.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml"
      }
    }
  ]
}