Detect Sharepoint in Microsoft Sentinel
Adversaries may leverage SharePoint repositories as a source to mine valuable organizational information. SharePoint frequently contains policies, physical and logical network diagrams, system architecture documentation, testing credentials embedded in documents, source code snippets, and links to internal resources. Threat actors including Akira, HAFNIUM, LAPSUS$, APT28, and Chimera have used compromised credentials to bulk-access SharePoint sites during the collection phase, often prior to exfiltration. Specialized tooling such as spwebmember (used by APT15/Ke3chang) automates enumeration and bulk dumping of SharePoint document libraries.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.002 Sharepoint
- Canonical reference
- https://attack.mitre.org/techniques/T1213/002/
KQL Detection Query
let BulkAccessThreshold = 30;
let SensitiveKeywords = dynamic(["password", "credential", "secret", "vpn", "network diagram", "architecture", "topology", "firewall", "infrastructure", "source code", "api key", "private key", "token", "certificate", "backup"]);
let LookbackWindow = 24h;
let BucketSize = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackWindow)
| where RecordType in ("SharePointFileOperation", "SharePoint", "SharePointListItemOperation", "SharePointSearch")
| where Operation in (
"FileAccessed", "FileDownloaded", "FileAccessedExtended",
"FilePreviewed", "FolderBrowsed", "SearchQueryPerformed",
"ListItemAccessed", "PageViewed"
)
| extend IsSensitiveFile = SourceFileName has_any (SensitiveKeywords)
| extend IsSearchOperation = Operation == "SearchQueryPerformed"
| summarize
TotalEvents = count(),
FilesAccessed = dcountif(SourceFileName, not(IsSearchOperation)),
SearchesExecuted = countif(IsSearchOperation),
SensitiveFileHits = countif(IsSensitiveFile),
UniqueShareSites = dcount(Site_Url),
SiteList = make_set(Site_Url, 10),
OperationTypes = make_set(Operation),
UserAgentSample = take_any(UserAgent),
Earliest = min(TimeGenerated),
Latest = max(TimeGenerated)
by UserId, ClientIP, bin(TimeGenerated, BucketSize)
| where TotalEvents > BulkAccessThreshold or SensitiveFileHits > 3
| extend SessionDuration = Latest - Earliest
| extend RatePerMinute = round(toreal(TotalEvents) / max_of(toreal(datetime_diff('minute', Latest, Earliest)), 1), 1)
| project
TimeGenerated, UserId, ClientIP,
TotalEvents, FilesAccessed, SearchesExecuted, SensitiveFileHits,
UniqueShareSites, SiteList, OperationTypes,
SessionDuration, RatePerMinute, UserAgentSample
| sort by SensitiveFileHits desc, TotalEvents descDetects anomalous bulk file access and sensitive document collection activity in SharePoint Online via Microsoft Sentinel's OfficeActivity table (fed by the Office 365 Unified Audit Log). Aggregates SharePoint file access, download, search, and browse events into 1-hour user/IP buckets and alerts when a user exceeds 30 total SharePoint events per hour or accesses more than 3 files matching sensitive keyword patterns (passwords, credentials, network diagrams, source code, certificates). Also captures the access rate per minute to distinguish legitimate high-volume users from anomalous scripted enumeration.
Data Sources
Required Tables
False Positives & Tuning
- SharePoint site migrations or bulk content audits performed by IT administrators accessing large numbers of files in a short window
- Automated backup or archiving tools (e.g., AvePoint, ShareGate, Veeam for Microsoft 365) that enumerate and download SharePoint content on a schedule
- SharePoint crawlers and search indexers used by enterprise search products (Coveo, Microsoft Search, Elastic Workplace Search) that systematically access all content
- Legal hold or eDiscovery processing tools (Purview, Nuix, Exterro) that access large document sets during compliance reviews
- Power Automate flows or Logic Apps that process SharePoint file libraries at high volume for business automation workflows
Other platforms for T1213.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SharePoint File Enumeration via PnP PowerShell
Expected signal: OfficeActivity: Multiple FileAccessed and ListItemAccessed events within seconds, all from the same UserId and ClientIP. RecordType=SharePoint or SharePointListItemOperation. The rapid succession of events with consistent ClientIP and UserAgent ('NONISV|SharePoint|PnP.PowerShell') is the key signal. AADSignInLogs will show an interactive sign-in to SharePoint Online from the same IP.
- Test 2SharePoint REST API Bulk File Download
Expected signal: OfficeActivity: FileAccessed events from the API enumeration, FileDownloaded events for each file retrieved. UserAgent will contain 'python-requests/<version>' — a non-browser UA string. ClientIP will be the test machine's IP. All events occur within seconds of each other, producing a high-rate signal. AADSignInLogs may show basic authentication (if enabled) or modern auth token acquisition.
- Test 3SharePoint Sensitive Document Search via Graph API
Expected signal: OfficeActivity: SearchQueryPerformed events with QueryText fields containing the sensitive search terms. RecordType=SharePointSearch. ClientIP matches the test machine. UserAgent will reflect the requests library. AADSignInLogs shows app-only token acquisition from the Azure AD tenant. The hunting query 3 (sensitive search terms) will capture these events directly.
- Test 4SharePoint Cross-Site Collection Enumeration via PowerShell
Expected signal: OfficeActivity: SiteCollectionAdminAdded or PageViewed events as the admin account traverses site collections. AADSignInLogs shows SharePoint Online Management Shell authentication (UserAgent: 'Microsoft SharePoint Online Management Shell'). The enumeration of site collection properties generates audit events in the SharePoint Admin Center audit log. The cross-site enumeration pattern (UniqueShareSites > 5) triggers the main detection query.
References (11)
- https://attack.mitre.org/techniques/T1213/002/
- https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities
- https://learn.microsoft.com/en-us/azure/sentinel/connect-office-365
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2021/january/chimera-apt-group/
- https://www.secureworks.com/research/gold-sahara
- https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.002/T1213.002.md
- https://pnp.github.io/powershell/
- https://learn.microsoft.com/en-us/graph/api/resources/search-api-overview
Unlock Pro Content
Get the full detection package for T1213.002 including response playbook, investigation guide, and atomic red team tests.