Detect Data from Information Repositories in Microsoft Sentinel
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion. Targets include SharePoint, Confluence, code repositories, CRM systems, databases, and messaging platforms such as Slack and Microsoft Teams. Adversaries may harvest credentials, network diagrams, system architecture documentation, PII, or source code from these repositories. Cloud-native services (AWS RDS, ElasticSearch, Redis) may also be improperly secured, enabling unauthenticated access to sensitive data stores.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Canonical reference
- https://attack.mitre.org/techniques/T1213/
KQL Detection Query
// Detect bulk document access / data mining from SharePoint, OneDrive, and Microsoft Teams
let BulkAccessThreshold = 50;
let SensitiveKeywords = dynamic(["password", "credential", "secret", "vpn", "firewall", "network diagram",
"architecture", "api key", "token", "private key", "ssn", "social security",
"salary", "payroll", "customer data", "pii", "database", "connection string"]);
let TimeWindow = 1h;
// Branch 1: Bulk file access / download from SharePoint or OneDrive
let BulkAccess =
OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload in ("SharePoint", "OneDrive")
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull", "FileAccessed", "FilePreviewed", "FileSyncUploadedFull")
| summarize
OperationCount = count(),
UniqueFiles = dcount(OfficeObjectId),
UniqueExtensions = dcount(tostring(split(OfficeObjectId, ".")[-1])),
Operations = make_set(Operation, 10),
SourceIPs = make_set(ClientIP, 10),
SiteUrls = make_set(Site_Url, 10),
EarliestAccess = min(TimeGenerated),
LatestAccess = max(TimeGenerated)
by UserId, bin(TimeGenerated, TimeWindow)
| where OperationCount >= BulkAccessThreshold
| extend AccessDurationMinutes = datetime_diff('minute', LatestAccess, EarliestAccess)
| extend FilesPerMinute = iff(AccessDurationMinutes > 0, toreal(UniqueFiles) / toreal(AccessDurationMinutes), toreal(UniqueFiles))
| extend DetectionType = "BulkFileAccess"
| project TimeGenerated, UserId, DetectionType, OperationCount, UniqueFiles, FilesPerMinute, Operations, SourceIPs, SiteUrls;
// Branch 2: Sensitive keyword searches in SharePoint
let SensitiveSearch =
OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload == "SharePoint"
| where Operation == "SearchQueryPerformed"
| where tolower(tostring(SearchQuery)) has_any (SensitiveKeywords)
| summarize
SearchCount = count(),
UniqueQueries = dcount(SearchQuery),
QuerySamples = make_set(SearchQuery, 5),
SourceIPs = make_set(ClientIP, 5)
by UserId, bin(TimeGenerated, TimeWindow)
| extend DetectionType = "SensitiveKeywordSearch"
| extend OperationCount = SearchCount
| project TimeGenerated, UserId, DetectionType, OperationCount, UniqueQueries, QuerySamples, SourceIPs;
// Branch 3: External sharing of documents from SharePoint/OneDrive
let ExternalSharing =
OfficeActivity
| where TimeGenerated > ago(24h)
| where Workload in ("SharePoint", "OneDrive")
| where Operation in ("SharingInvitationCreated", "AnonymousLinkCreated", "SecureLinkCreated", "AddedToSecureLink")
| extend IsExternalShare = ExternalAccess == true or Operation == "AnonymousLinkCreated"
| where IsExternalShare == true
| summarize
ShareCount = count(),
UniqueFiles = dcount(OfficeObjectId),
TargetAccounts = make_set(TargetUserOrGroupName, 10),
SiteUrls = make_set(Site_Url, 5)
by UserId, bin(TimeGenerated, TimeWindow)
| where ShareCount >= 5
| extend DetectionType = "BulkExternalSharing"
| extend OperationCount = ShareCount
| project TimeGenerated, UserId, DetectionType, OperationCount, UniqueFiles, TargetAccounts, SiteUrls;
// Union all branches
BulkAccess
| union SensitiveSearch
| union ExternalSharing
| sort by OperationCount descDetects data mining from information repositories across three detection branches: (1) Bulk file access/download from SharePoint or OneDrive exceeding 50 operations per hour, indicating automated or manual mass data harvesting; (2) SharePoint searches containing sensitive keywords such as 'password', 'credential', 'vpn', 'api key', or 'pii', indicating targeted reconnaissance; (3) Bulk external sharing of documents, indicating potential exfiltration via sharing features. Uses OfficeActivity table which captures M365 audit logs including SharePoint, OneDrive, and Teams workloads.
Data Sources
Required Tables
False Positives & Tuning
- Migration projects — IT teams or contractors using tools like ShareGate or AvePoint to migrate SharePoint content generate extremely high file access counts
- Backup and archival solutions — tools like Veeam, AvePoint Backup, or native SharePoint backup solutions download all files regularly
- Legitimate enterprise search indexing — search crawlers or content indexing services authorized by IT generate bulk FileAccessed events
- Legal eDiscovery — compliance officers performing court-ordered or internal investigation eDiscovery searches may access large volumes of documents and use sensitive keywords
- Data loss prevention (DLP) scanning tools — DLP platforms that scan SharePoint for sensitive content will trigger both bulk access and sensitive keyword detections
Other platforms for T1213
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk SharePoint Document Download via PnP PowerShell
Expected signal: OfficeActivity events: Operation=FileDownloaded for each downloaded file, Workload=SharePoint, UserId=authenticated user UPN, ClientIP=executing machine IP. Azure AD SigninLogs: interactive authentication event for the SharePoint OAuth flow. Sysmon Event ID 1: Process Create for powershell.exe with PnP module loading.
- Test 2SharePoint Sensitive Keyword Search via REST API
Expected signal: OfficeActivity events: Operation=SearchQueryPerformed for each API search call, with SearchQuery field containing the sensitive keyword, Workload=SharePoint, UserId=authenticated user. Multiple events in quick succession for each term searched.
- Test 3Confluence REST API Page Enumeration and Export
Expected signal: Confluence access logs (atlassian-confluence.log): GET requests to /wiki/rest/api/space and /wiki/rest/api/search endpoints with user authentication. If Confluence audit logging is enabled: search events appear in Administration > Audit Log. Network proxy logs: HTTP requests to the Confluence FQDN with search query parameters visible in URL.
- Test 4Microsoft Teams Message Export via Graph API
Expected signal: OfficeActivity events: Operation=MessageRead or similar Teams audit events, Workload=MicrosoftTeams. Azure AD SigninLogs: token acquisition for Graph API with Teams scopes. AuditLogs: Microsoft Graph API calls for Team and ChannelMessage read operations. Microsoft Defender for Cloud Apps: Graph API activity anomaly if CASB is configured.
References (10)
- https://attack.mitre.org/techniques/T1213/
- https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance
- https://learn.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide
- https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://learn.microsoft.com/en-us/graph/teams-list-all-teams
- https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots
- https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213/T1213.md
- https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps
Unlock Pro Content
Get the full detection package for T1213 including response playbook, investigation guide, and atomic red team tests.