T1213

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion. Targets include SharePoint, Confluence, code repositories, CRM systems, databases, and messaging platforms such as Slack and Microsoft Teams. Adversaries may harvest credentials, network diagrams, system architecture documentation, PII, or source code from these repositories. Cloud-native services (AWS RDS, ElasticSearch, Redis) may also be improperly secured, enabling unauthenticated access to sensitive data stores.

Microsoft Sentinel / Defender

kusto

// Detect bulk document access / data mining from SharePoint, OneDrive, and Microsoft Teams
let BulkAccessThreshold = 50;
let SensitiveKeywords = dynamic(["password", "credential", "secret", "vpn", "firewall", "network diagram",
  "architecture", "api key", "token", "private key", "ssn", "social security",
  "salary", "payroll", "customer data", "pii", "database", "connection string"]);
let TimeWindow = 1h;
// Branch 1: Bulk file access / download from SharePoint or OneDrive
let BulkAccess =
  OfficeActivity
  | where TimeGenerated > ago(24h)
  | where Workload in ("SharePoint", "OneDrive")
  | where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed", "FilePreviewed", "FileSyncUploadedFull")
  | summarize
      OperationCount = count(),
      UniqueFiles = dcount(OfficeObjectId),
      UniqueExtensions = dcount(tostring(split(OfficeObjectId, ".")[-1])),
      Operations = make_set(Operation, 10),
      SourceIPs = make_set(ClientIP, 10),
      SiteUrls = make_set(Site_Url, 10),
      EarliestAccess = min(TimeGenerated),
      LatestAccess = max(TimeGenerated)
      by UserId, bin(TimeGenerated, TimeWindow)
  | where OperationCount >= BulkAccessThreshold
  | extend AccessDurationMinutes = datetime_diff('minute', LatestAccess, EarliestAccess)
  | extend FilesPerMinute = iff(AccessDurationMinutes > 0, toreal(UniqueFiles) / toreal(AccessDurationMinutes), toreal(UniqueFiles))
  | extend DetectionType = "BulkFileAccess"
  | project TimeGenerated, UserId, DetectionType, OperationCount, UniqueFiles, FilesPerMinute, Operations, SourceIPs, SiteUrls;
// Branch 2: Sensitive keyword searches in SharePoint
let SensitiveSearch =
  OfficeActivity
  | where TimeGenerated > ago(24h)
  | where Workload == "SharePoint"
  | where Operation == "SearchQueryPerformed"
  | where tolower(tostring(SearchQuery)) has_any (SensitiveKeywords)
  | summarize
      SearchCount = count(),
      UniqueQueries = dcount(SearchQuery),
      QuerySamples = make_set(SearchQuery, 5),
      SourceIPs = make_set(ClientIP, 5)
      by UserId, bin(TimeGenerated, TimeWindow)
  | extend DetectionType = "SensitiveKeywordSearch"
  | extend OperationCount = SearchCount
  | project TimeGenerated, UserId, DetectionType, OperationCount, UniqueQueries, QuerySamples, SourceIPs;
// Branch 3: External sharing of documents from SharePoint/OneDrive
let ExternalSharing =
  OfficeActivity
  | where TimeGenerated > ago(24h)
  | where Workload in ("SharePoint", "OneDrive")
  | where Operation in ("SharingInvitationCreated", "AnonymousLinkCreated", "SecureLinkCreated", "AddedToSecureLink")
  | extend IsExternalShare = ExternalAccess == true or Operation == "AnonymousLinkCreated"
  | where IsExternalShare == true
  | summarize
      ShareCount = count(),
      UniqueFiles = dcount(OfficeObjectId),
      TargetAccounts = make_set(TargetUserOrGroupName, 10),
      SiteUrls = make_set(Site_Url, 5)
      by UserId, bin(TimeGenerated, TimeWindow)
  | where ShareCount >= 5
  | extend DetectionType = "BulkExternalSharing"
  | extend OperationCount = ShareCount
  | project TimeGenerated, UserId, DetectionType, OperationCount, UniqueFiles, TargetAccounts, SiteUrls;
// Union all branches
BulkAccess
| union SensitiveSearch
| union ExternalSharing
| sort by OperationCount desc

high severity medium confidence

Data Sources

Application Log: Application Log Content Cloud Service: Cloud Service Enumeration Microsoft 365 Unified Audit Log SharePoint Audit Logs OneDrive Audit Logs

Required Tables

OfficeActivity

False Positives

Migration projects — IT teams or contractors using tools like ShareGate or AvePoint to migrate SharePoint content generate extremely high file access counts
Backup and archival solutions — tools like Veeam, AvePoint Backup, or native SharePoint backup solutions download all files regularly
Legitimate enterprise search indexing — search crawlers or content indexing services authorized by IT generate bulk FileAccessed events
Legal eDiscovery — compliance officers performing court-ordered or internal investigation eDiscovery searches may access large volumes of documents and use sensitive keywords
Data loss prevention (DLP) scanning tools — DLP platforms that scan SharePoint for sensitive content will trigger both bulk access and sensitive keyword detections

Splunk

spl

| tstats count as OperationCount, dc(Office365.ObjectId) as UniqueFiles, values(Office365.Operation) as Operations, values(Office365.ClientIP) as SourceIPs
  from datamodel=Office365 where (Office365.Workload="SharePoint" OR Office365.Workload="OneDrive")
  AND (Office365.Operation="FileDownloaded" OR Office365.Operation="FileSyncDownloadedFull" OR Office365.Operation="FileAccessed" OR Office365.Operation="FilePreviewed")
  by Office365.UserId _time span=1h
| rename Office365.UserId as UserId
| where OperationCount >= 50
| eval RiskLevel=case(OperationCount >= 500, "Critical", OperationCount >= 200, "High", OperationCount >= 50, "Medium", true(), "Low")
| eval DetectionBranch="BulkFileAccess"
| table _time, UserId, OperationCount, UniqueFiles, Operations, SourceIPs, RiskLevel, DetectionBranch

`comment("--- Branch 2: Sensitive keyword searches ---")`

| search index=o365 sourcetype="o365:management:activity"
    (Workload="SharePoint" OR Workload="OneDrive")
    Operation="SearchQueryPerformed"
    (SearchQuery="*password*" OR SearchQuery="*credential*" OR SearchQuery="*vpn*"
     OR SearchQuery="*api key*" OR SearchQuery="*secret*" OR SearchQuery="*private key*"
     OR SearchQuery="*connection string*" OR SearchQuery="*network diagram*"
     OR SearchQuery="*architecture*" OR SearchQuery="*payroll*" OR SearchQuery="*salary*")
| stats count as SearchCount, dc(SearchQuery) as UniqueQueries, values(SearchQuery) as QuerySamples, values(ClientIP) as SourceIPs by UserId
| where SearchCount >= 3
| eval RiskLevel="High", DetectionBranch="SensitiveKeywordSearch"
| table UserId, SearchCount, UniqueQueries, QuerySamples, SourceIPs, RiskLevel, DetectionBranch

`comment("Note: Combine both result sets in production using append or union. Branch 2 uses raw search due to SearchQuery field not being in default O365 datamodel.")`

high severity medium confidence

Data Sources

Application Log: Application Log Content Cloud Service: Cloud Service Enumeration Microsoft 365 Unified Audit Log Splunk O365 Data Model

Required Sourcetypes

o365:management:activity

False Positives

Migration projects using ShareGate, AvePoint, or similar tools that perform bulk file reads during tenant-to-tenant migrations
Backup and archival solutions that index or download SharePoint content on a schedule
eDiscovery tools performing legal hold searches that match sensitive keywords across document libraries
Security compliance scanners (Varonis, Nightfall, Purview) that crawl SharePoint searching for sensitive data patterns
IT administrators using SharePoint REST API or PnP PowerShell for legitimate content management tasks

IBM QRadar (AQL)

sql

-- Branch 1: Bulk file access from SharePoint/OneDrive
SELECT
  USERNAME AS UserId,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') AS EventWindow,
  COUNT(*) AS OperationCount,
  COUNT(DISTINCT "URL") AS UniqueFiles,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS CategoryName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  ARRAY_AGG(DISTINCT sourceip) AS SourceIPs,
  CASE
    WHEN COUNT(*) >= 500 THEN 'Critical'
    WHEN COUNT(*) >= 200 THEN 'High'
    WHEN COUNT(*) >= 50 THEN 'Medium'
    ELSE 'Low'
  END AS RiskLevel
FROM events
WHERE
  LOGSOURCETYPEID = 397
  AND LOWER("Application") IN ('sharepoint', 'onedrive')
  AND LOWER("Operation") IN ('filedownloaded', 'filesyncdownloadedfull', 'fileaccessed', 'filepreviewed', 'filesyncuploadedfull')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
GROUP BY
  USERNAME,
  TRUNCATE(starttime, 3600000)
HAVING COUNT(*) >= 50
ORDER BY OperationCount DESC

-- Branch 2: Sensitive keyword searches (run as separate query)
-- SELECT USERNAME, COUNT(*) AS SearchCount, ARRAY_AGG(DISTINCT "SearchQuery") AS Queries, ARRAY_AGG(DISTINCT sourceip) AS SourceIPs
-- FROM events
-- WHERE LOGSOURCETYPEID = 397 AND LOWER("Application") = 'sharepoint' AND LOWER("Operation") = 'searchqueryperformed'
-- AND (LOWER("SearchQuery") LIKE '%password%' OR LOWER("SearchQuery") LIKE '%credential%' OR LOWER("SearchQuery") LIKE '%vpn%'
--   OR LOWER("SearchQuery") LIKE '%api key%' OR LOWER("SearchQuery") LIKE '%secret%' OR LOWER("SearchQuery") LIKE '%private key%'
--   OR LOWER("SearchQuery") LIKE '%connection string%' OR LOWER("SearchQuery") LIKE '%network diagram%'
--   OR LOWER("SearchQuery") LIKE '%architecture%' OR LOWER("SearchQuery") LIKE '%payroll%' OR LOWER("SearchQuery") LIKE '%salary%')
-- AND starttime > (CURRENT_TIMESTAMP - 86400000)
-- GROUP BY USERNAME HAVING COUNT(*) >= 3

high severity medium confidence

Data Sources

IBM QRadar with Microsoft Office 365 DSM Office 365 Management Activity API log source

Required Tables

events

False Positives

Bulk content migration projects where administrators or migration tools download large volumes of files from SharePoint during tenant consolidations or M&A activities
End-user sync clients on new devices performing initial full library synchronization, generating hundreds of FileAccessed or FileSyncDownloadedFull events in a short window
Compliance or legal discovery tools performing keyword-based searches across SharePoint for eDiscovery requests, generating sensitive keyword search events

Sumo Logic CSE

sql

// Branch 1: Bulk file access from SharePoint/OneDrive
_sourceCategory=office365 OR _sourceCategory=o365
| json field=_raw "Workload" as Workload
| json field=_raw "Operation" as Operation
| json field=_raw "UserId" as UserId
| json field=_raw "ObjectId" as ObjectId nodrop
| json field=_raw "ClientIP" as ClientIP nodrop
| json field=_raw "SiteUrl" as SiteUrl nodrop
| where Workload in ("SharePoint", "OneDrive")
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed", "FilePreviewed", "FileSyncUploadedFull")
| timeslice 1h
| count as OperationCount, dcount(ObjectId) as UniqueFiles, values(ClientIP) as SourceIPs, values(SiteUrl) as SiteUrls by UserId, _timeslice
| where OperationCount >= 50
| if (OperationCount >= 500, "Critical", if(OperationCount >= 200, "High", if(OperationCount >= 50, "Medium", "Low"))) as RiskLevel
| fields _timeslice, UserId, OperationCount, UniqueFiles, SourceIPs, SiteUrls, RiskLevel
| sort by OperationCount desc

// Branch 2: Sensitive keyword searches — run as separate query:
// _sourceCategory=office365
// | json field=_raw "Workload" as Workload
// | json field=_raw "Operation" as Operation
// | json field=_raw "UserId" as UserId
// | json field=_raw "SearchQuery" as SearchQuery nodrop
// | json field=_raw "ClientIP" as ClientIP nodrop
// | where Workload = "SharePoint" and Operation = "SearchQueryPerformed"
// | where matches(toLowerCase(SearchQuery), ".*(?:password|credential|secret|vpn|api.key|private.key|connection.string|network.diagram|architecture|payroll|salary).*")
// | count as SearchCount, dcount(SearchQuery) as UniqueQueries, values(SearchQuery) as QuerySamples, values(ClientIP) as SourceIPs by UserId
// | where SearchCount >= 3
// | fields UserId, SearchCount, UniqueQueries, QuerySamples, SourceIPs

high severity medium confidence

Data Sources

Sumo Logic Office 365 Audit Log Source Microsoft 365 Management Activity API

Required Tables

_sourceCategory=office365

False Positives

Power users or department heads performing legitimate bulk downloads of team documents during offboarding, project handovers, or archiving initiatives
SharePoint Online migrations using tools like ShareGate or Metalogix that generate high volumes of FileAccessed and FileDownloaded events during content moves
Security awareness training platforms or red team exercises that perform controlled sensitive keyword searches as part of authorized phishing simulation or data handling tests

Google Chronicle / SecOps

yaral

rule t1213_data_from_information_repositories {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk file access/download from SharePoint or OneDrive exceeding 50 operations per hour, sensitive keyword searches, and bulk external sharing — indicators of adversarial data mining from information repositories (T1213)"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1213"
    mitre_attack_subtechnique = "T1213.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2024-01-01"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = /(?i)sharepoint|onedrive|office 365/
    $e.target.application = /(?i)sharepoint|onedrive/
    $e.metadata.product_event_type = /(?i)FileDownloaded|FileSyncDownloadedFull|FileAccessed|FilePreviewed|FileSyncUploadedFull/
    $e.principal.user.userid = $user
    $e.metadata.event_timestamp.seconds > 0

  match:
    $user over 1h

  outcome:
    $operation_count = count_distinct($e.metadata.product_event_type)
    $unique_files = count_distinct($e.target.url)
    $source_ips = array_distinct($e.principal.ip)
    $risk_level = if($operation_count >= 500, "Critical",
                   if($operation_count >= 200, "High",
                   if($operation_count >= 50, "Medium", "Low")))

  condition:
    #e >= 50
}

// Companion rule for sensitive keyword searches:
// rule t1213_sensitive_keyword_search {
//   meta:
//     description = "Detects sensitive keyword searches in SharePoint indicative of credential or architecture harvesting"
//     mitre_attack_technique = "T1213"
//   events:
//     $e.metadata.event_type = "USER_RESOURCE_ACCESS"
//     $e.metadata.product_name = /(?i)sharepoint/
//     $e.metadata.product_event_type = "SearchQueryPerformed"
//     $e.target.resource.name = /(?i)password|credential|secret|vpn|api.key|private.key|connection.string|network.diagram|architecture|payroll|salary/
//     $e.principal.user.userid = $user
//   match:
//     $user over 1h
//   condition:
//     #e >= 3
// }

high severity medium confidence

Data Sources

Google Chronicle with Microsoft Office 365 log ingestion Chronicle UDM normalization for O365 Management Activity

Required Tables

USER_RESOURCE_ACCESS UDM events

False Positives

Automated ETL or reporting pipelines that programmatically access large sets of SharePoint documents on a scheduled basis for business intelligence reporting
Onboarding workflows where new employees or contractors perform initial bulk synchronization of shared document libraries to local devices
Third-party document management integrations (DocuSign, Adobe Sign, Salesforce) that access SharePoint files in bulk during contract processing or CRM synchronization workflows

CrowdStrike LogScale (CQL)

cql

// Branch 1: Bulk SharePoint/OneDrive file access via Office 365 activity events
// CrowdStrike ingests O365 audit logs via the Falcon Data Replicator or third-party connector
#event_simpleName=O365AuditEvent
| Workload = /SharePoint|OneDrive/i
| Operation = /FileDownloaded|FileSyncDownloadedFull|FileAccessed|FilePreviewed|FileSyncUploadedFull/i
| groupBy([UserId, timebucket(field=timestamp, bucket="1h")], function=[
    count(as=OperationCount),
    count(ObjectId, distinct=true, as=UniqueFiles),
    collect([Operation], limit=10, as=Operations),
    collect([ClientIP], limit=10, as=SourceIPs),
    collect([SiteUrl], limit=5, as=SiteUrls)
  ])
| OperationCount >= 50
| RiskLevel := if(OperationCount >= 500, "Critical",
               if(OperationCount >= 200, "High",
               if(OperationCount >= 50, "Medium", "Low")))
| DetectionBranch := "BulkFileAccess"
| sort(OperationCount, order=desc)
| select([timebucket, UserId, OperationCount, UniqueFiles, Operations, SourceIPs, SiteUrls, RiskLevel, DetectionBranch])

// Branch 2: Sensitive keyword searches — run as separate saved query:
// #event_simpleName=O365AuditEvent
// | Workload = /SharePoint/i
// | Operation = "SearchQueryPerformed"
// | SearchQuery = /password|credential|secret|vpn|api.key|private.key|connection.string|network.diagram|architecture|payroll|salary/i
// | groupBy([UserId], function=[
//     count(as=SearchCount),
//     count(SearchQuery, distinct=true, as=UniqueQueries),
//     collect([SearchQuery], limit=5, as=QuerySamples),
//     collect([ClientIP], limit=5, as=SourceIPs)
//   ])
// | SearchCount >= 3
// | DetectionBranch := "SensitiveKeywordSearch"
// | select([UserId, SearchCount, UniqueQueries, QuerySamples, SourceIPs, DetectionBranch])

high severity medium confidence

Data Sources

CrowdStrike Falcon with Office 365 audit log ingestion via Falcon Data Replicator Microsoft 365 Management Activity events in LogScale repository

Required Tables

O365AuditEvent

False Positives

Enterprise content management workflows where automated service accounts sync SharePoint libraries to on-premises DMS platforms, generating sustained high-volume file access events during business hours
IT helpdesk or support staff remotely accessing user OneDrive to assist with file recovery or permissions troubleshooting, particularly when scoped to large personal document libraries
Legal hold or compliance export tools performing bulk document collection from SharePoint for litigation support or regulatory audit requests, appearing identical to adversarial bulk downloads

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data from Information Repositories

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Collection

Popular Detections