T1213.002 Sharepoint Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let BulkAccessThreshold = 30;
let SensitiveKeywords = dynamic(["password", "credential", "secret", "vpn", "network diagram", "architecture", "topology", "firewall", "infrastructure", "source code", "api key", "private key", "token", "certificate", "backup"]);
let LookbackWindow = 24h;
let BucketSize = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackWindow)
| where RecordType in ("SharePointFileOperation", "SharePoint", "SharePointListItemOperation", "SharePointSearch")
| where Operation in (
    "FileAccessed", "FileDownloaded", "FileAccessedExtended",
    "FilePreviewed", "FolderBrowsed", "SearchQueryPerformed",
    "ListItemAccessed", "PageViewed"
  )
| extend IsSensitiveFile = SourceFileName has_any (SensitiveKeywords)
| extend IsSearchOperation = Operation == "SearchQueryPerformed"
| summarize
    TotalEvents        = count(),
    FilesAccessed      = dcountif(SourceFileName, not(IsSearchOperation)),
    SearchesExecuted   = countif(IsSearchOperation),
    SensitiveFileHits  = countif(IsSensitiveFile),
    UniqueShareSites   = dcount(Site_Url),
    SiteList           = make_set(Site_Url, 10),
    OperationTypes     = make_set(Operation),
    UserAgentSample    = take_any(UserAgent),
    Earliest           = min(TimeGenerated),
    Latest             = max(TimeGenerated)
    by UserId, ClientIP, bin(TimeGenerated, BucketSize)
| where TotalEvents > BulkAccessThreshold or SensitiveFileHits > 3
| extend SessionDuration = Latest - Earliest
| extend RatePerMinute   = round(toreal(TotalEvents) / max_of(toreal(datetime_diff('minute', Latest, Earliest)), 1), 1)
| project
    TimeGenerated, UserId, ClientIP,
    TotalEvents, FilesAccessed, SearchesExecuted, SensitiveFileHits,
    UniqueShareSites, SiteList, OperationTypes,
    SessionDuration, RatePerMinute, UserAgentSample
| sort by SensitiveFileHits desc, TotalEvents desc

high severity high confidence

Data Sources

Application Log: Office 365 Unified Audit Log Cloud Service: Microsoft SharePoint Online Network Traffic: SharePoint file access and download events

Required Tables

OfficeActivity

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

Splunk

spl

index=o365 sourcetype="ms:o365:management:activity" Workload=SharePoint
  (Operation=FileAccessed OR Operation=FileDownloaded OR Operation=FileAccessedExtended
   OR Operation=FilePreviewed OR Operation=FolderBrowsed OR Operation=SearchQueryPerformed
   OR Operation=ListItemAccessed OR Operation=PageViewed)
| eval IsSensitive=if(
    match(lower(SourceFileName), "(password|credential|secret|vpn|network.diagram|architecture|topology|firewall|infrastructure|source.code|api.key|private.key|token|certificate|backup)"),
    1, 0
  )
| eval IsSearch=if(Operation="SearchQueryPerformed", 1, 0)
| bin _time span=1h
| stats
    count                              as TotalEvents,
    dc(SourceFileName)                 as FilesAccessed,
    sum(IsSearch)                      as SearchesExecuted,
    sum(IsSensitive)                   as SensitiveFileHits,
    dc(Site)                           as UniqueShareSites,
    values(Site)                       as SiteList,
    values(Operation)                  as OperationTypes,
    first(UserAgent)                   as UserAgentSample,
    min(_time)                         as Earliest,
    max(_time)                         as Latest
    by UserId, ClientIP, _time
| where TotalEvents > 30 OR SensitiveFileHits > 3
| eval SessionDurationMin=round((Latest - Earliest) / 60, 1)
| eval RatePerMinute=round(TotalEvents / max(SessionDurationMin, 1), 1)
| table _time, UserId, ClientIP, TotalEvents, FilesAccessed, SearchesExecuted,
        SensitiveFileHits, UniqueShareSites, SiteList, OperationTypes,
        SessionDurationMin, RatePerMinute, UserAgentSample
| sort - SensitiveFileHits, - TotalEvents

high severity high confidence

Data Sources

Application Log: Office 365 Management Activity API Cloud Service: Microsoft SharePoint Online

Required Sourcetypes

ms:o365:management:activity

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) accessing large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

Elastic Security (EQL)

eql

sequence by user.name, source.ip with maxspan=1h
  [any where event.dataset == "o365.audit" and
   event.action : ("FileAccessed","FileDownloaded","FileAccessedExtended","SearchQueryPerformed") and
   event.provider == "SharePoint"]
  with runs=30

high severity high confidence

Data Sources

Microsoft 365 Audit Logs via Elastic O365 integration

Required Tables

logs-o365.audit-*

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  "UserId" as UserId, "ClientIP" as ClientIP,
  COUNT(*) as TotalEvents,
  COUNT(DISTINCT "SourceFileName") as FilesAccessed,
  SUM(CASE WHEN LOWER("SourceFileName") LIKE '%password%' OR LOWER("SourceFileName") LIKE '%credential%'
           OR LOWER("SourceFileName") LIKE '%secret%' THEN 1 ELSE 0 END) as SensitiveFileHits,
  CASE WHEN COUNT(*) > 100 THEN 10
       WHEN COUNT(*) > 50 THEN 7
       WHEN SUM(CASE WHEN LOWER("SourceFileName") LIKE '%password%' THEN 1 ELSE 0 END) > 3 THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE "Operation" IN ('FileAccessed','FileDownloaded','FileAccessedExtended','FilePreviewed',
                       'SearchQueryPerformed','FolderBrowsed')
  AND "Workload" = 'SharePoint'
  AND devicetime > NOW() - 3600000
GROUP BY DATEFORMAT(FLOOR(devicetime/3600000)*3600000, 'yyyy-MM-dd HH:mm:ss'), "UserId", "ClientIP"
HAVING COUNT(*) > 30 OR SensitiveFileHits > 3
ORDER BY TotalEvents DESC

high severity high confidence

Data Sources

Office 365 Management Activity via QRadar DSM

Required Tables

events

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

Sumo Logic CSE

sql

_sourceCategory=o365/audit
| json auto
| where Workload == "SharePoint"
| where Operation in ("FileAccessed","FileDownloaded","FileAccessedExtended","FilePreviewed","SearchQueryPerformed","FolderBrowsed")
| eval is_sensitive = if(matches(toLower(SourceFileName), "(password|credential|secret|vpn|api.key|network.diagram|architecture)"), 1, 0)
| timeslice 1h
| stats count as TotalEvents, dcount(SourceFileName) as FilesAccessed,
        sum(is_sensitive) as SensitiveFileHits, dcount(Site) as UniqueShareSites
        by UserId, ClientIP, _timeslice
| where TotalEvents > 30 OR SensitiveFileHits > 3
| sort by SensitiveFileHits desc, TotalEvents desc

high severity high confidence

Data Sources

Office 365 Audit Logs via Sumo Logic O365 App

Required Tables

o365/audit

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

Google Chronicle / SecOps

yaral

rule sharepoint_bulk_collection {
  meta:
    author = "Detection Engineering"
    description = "Detects bulk SharePoint data collection activity (T1213.002)"
    severity = "HIGH"
    tactic = "TA0009"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Office 365"
    $e.target.application = "SharePoint"
    $e.metadata.product_event_type = /FileAccessed|FileDownloaded|SearchQueryPerformed/ nocase
    $user = $e.principal.user.userid
    $ip = $e.principal.ip

  match:
    $user, $ip over 1h

  outcome:
    $event_count = count_distinct($e.metadata.id)

  condition:
    $event_count > 30
}

high severity high confidence

Data Sources

Microsoft 365 UDM Events

Required Tables

USER_RESOURCE_ACCESS

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "OAuthApplicationUsed"
| ApplicationName = /SharePoint/i
| stats count() as TotalEvents, dc(FileName) as FilesAccessed by UserName, RemoteAddressIP4, span(timestamp, 1h)
| where TotalEvents > 30
| eval RiskLevel = if(TotalEvents > 100, "critical", if(TotalEvents > 50, "high", "medium"))
| table timestamp, UserName, RemoteAddressIP4, TotalEvents, FilesAccessed, RiskLevel
| sort by TotalEvents desc

high severity high confidence

Data Sources

CrowdStrike Falcon Identity Protection

Required Tables

OAuthApplicationUsed

False Positives

SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows

Sharepoint

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections