Detect Sharepoint in Elastic Security
Adversaries may leverage SharePoint repositories as a source to mine valuable organizational information. SharePoint frequently contains policies, physical and logical network diagrams, system architecture documentation, testing credentials embedded in documents, source code snippets, and links to internal resources. Threat actors including Akira, HAFNIUM, LAPSUS$, APT28, and Chimera have used compromised credentials to bulk-access SharePoint sites during the collection phase, often prior to exfiltration. Specialized tooling such as spwebmember (used by APT15/Ke3chang) automates enumeration and bulk dumping of SharePoint document libraries.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.002 Sharepoint
- Canonical reference
- https://attack.mitre.org/techniques/T1213/002/
Elastic Detection Query
sequence by user.name, source.ip with maxspan=1h
[any where event.dataset == "o365.audit" and
event.action : ("FileAccessed","FileDownloaded","FileAccessedExtended","SearchQueryPerformed") and
event.provider == "SharePoint"]
with runs=30Detects bulk SharePoint data collection by correlating multiple file access/download events from the same user and IP within an hour using Elastic EQL.
Data Sources
Required Tables
False Positives & Tuning
- SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
- Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
- SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
- Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
- Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows
Other platforms for T1213.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SharePoint File Enumeration via PnP PowerShell
Expected signal: OfficeActivity: Multiple FileAccessed and ListItemAccessed events within seconds, all from the same UserId and ClientIP. RecordType=SharePoint or SharePointListItemOperation. The rapid succession of events with consistent ClientIP and UserAgent ('NONISV|SharePoint|PnP.PowerShell') is the key signal. AADSignInLogs will show an interactive sign-in to SharePoint Online from the same IP.
- Test 2SharePoint REST API Bulk File Download
Expected signal: OfficeActivity: FileAccessed events from the API enumeration, FileDownloaded events for each file retrieved. UserAgent will contain 'python-requests/<version>' — a non-browser UA string. ClientIP will be the test machine's IP. All events occur within seconds of each other, producing a high-rate signal. AADSignInLogs may show basic authentication (if enabled) or modern auth token acquisition.
- Test 3SharePoint Sensitive Document Search via Graph API
Expected signal: OfficeActivity: SearchQueryPerformed events with QueryText fields containing the sensitive search terms. RecordType=SharePointSearch. ClientIP matches the test machine. UserAgent will reflect the requests library. AADSignInLogs shows app-only token acquisition from the Azure AD tenant. The hunting query 3 (sensitive search terms) will capture these events directly.
- Test 4SharePoint Cross-Site Collection Enumeration via PowerShell
Expected signal: OfficeActivity: SiteCollectionAdminAdded or PageViewed events as the admin account traverses site collections. AADSignInLogs shows SharePoint Online Management Shell authentication (UserAgent: 'Microsoft SharePoint Online Management Shell'). The enumeration of site collection properties generates audit events in the SharePoint Admin Center audit log. The cross-site enumeration pattern (UniqueShareSites > 5) triggers the main detection query.
References (11)
- https://attack.mitre.org/techniques/T1213/002/
- https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://learn.microsoft.com/en-us/azure/sentinel/connect-office-365
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2021/january/chimera-apt-group/
- https://www.secureworks.com/research/gold-sahara
- https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.002/T1213.002.md
- https://pnp.github.io/powershell/
- https://learn.microsoft.com/en-us/graph/api/resources/search-api-overview
Unlock Pro Content
Get the full detection package for T1213.002 including response playbook, investigation guide, and atomic red team tests.