title: Data from Information Repositories (T1213)
id: df00tech-t1213
status: experimental
description: "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion. Targets include SharePoint, Confluence, code repositories, CRM systems, databases, and messaging platforms such as Slack and Microsoft Teams. Adversaries may harvest credentials, network diagrams, system architecture documentation, PII, or source code from these repositories. Cloud-native services (AWS RDS, ElasticSearch, Redis) may also be improperly secured, enabling unauthenticated access to sensitive data stores."
references:
  - https://attack.mitre.org/techniques/T1213/
  - https://df00tech.com/detections/T1213
author: df00tech
date: 2026/04/13
tags:
  - attack.t1213
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Migration projects — IT teams or contractors using tools like ShareGate or AvePoint to migrate SharePoint content generate extremely high file access counts
  - "Backup and archival solutions — tools like Veeam, AvePoint Backup, or native SharePoint backup solutions download all files regularly"
  - Legitimate enterprise search indexing — search crawlers or content indexing services authorized by IT generate bulk FileAccessed events
  - Legal eDiscovery — compliance officers performing court-ordered or internal investigation eDiscovery searches may access large volumes of documents and use sensitive keywords
  - Data loss prevention (DLP) scanning tools — DLP platforms that scan SharePoint for sensitive content will trigger both bulk access and sensitive keyword detections
level: high