Query Details
Office Activity Anomalous Guest File Shares
Query
//Detect anomalies in the amount of files shared to guests in your Office 365 tenant from your users.
//Data connector required for this query - Office 365
//Starttime and endtime = which period of data to look at, i.e from 21 days ago until today.
let startdate=21d;
let enddate=1d;
//Timeframe = time period to break the data up into, i.e 1 hour blocks.
let timeframe=1h;
//Sensitivity = the lower the number the more sensitive the anomaly detection is, i.e it will find more anomalies, default is 1.5
let sensitivity=2;
//Threshold = set a threshold to account for low volume anomailies, i.e moving from 1 file shared to 2 within an hour
let threshold = 5;
let outlierusers=
OfficeActivity
| where Operation in ("AddedToSecureLink","SecureLinkCreated","SecureLinkUpdated")
| where TargetUserOrGroupType == "Guest" or TargetUserOrGroupName contains "#ext#"
| make-series GuestFileShares=count() on TimeGenerated from startofday(ago(startdate)) to startofday(ago(enddate)) step timeframe by UserId
| extend outliers=series_decompose_anomalies(GuestFileShares, sensitivity)
| mv-expand TimeGenerated, GuestFileShares, outliers
| where outliers == 1 and GuestFileShares > threshold
//Optionally visualize the anomalies - remove everything below this line to just retrieve the data instead of visualizing
| distinct UserId;
OfficeActivity
| where Operation in ("AddedToSecureLink","SecureLinkCreated","SecureLinkUpdated")
| where TargetUserOrGroupType == "Guest" or TargetUserOrGroupName contains "#ext#"
| where UserId in (outlierusers)
| make-series GuestFileShares=count() default=0 on TimeGenerated from startofday(ago(startdate)) to startofday(ago(enddate)) step timeframe by UserId
| render timechart with (ytitle="Share Count",title="Anomalous Files Shared to Guests")Explanation
This query is used to detect anomalies in the amount of files shared to guests in your Office 365 tenant by your users. It looks at data from a specific time period, breaks it down into smaller time intervals, and applies anomaly detection algorithms to identify unusual patterns. The sensitivity and threshold parameters can be adjusted to control the detection process. The query also includes an optional visualization of the anomalies found.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
Devices,Intune,User,Office365,OfficeActivity,Operation,TargetUserOrGroupType,TargetUserOrGroupName,Guest,UserId,TimeGenerated,GuestFileShares,outliers,threshold,startdate,enddate,timeframe,sensitivity,outlierusers,count,series_decompose_anomalies,mv-expand,distinct,render
Operators
letstartdate=21denddate=1dtimeframe=1hsensitivity=2threshold=5outlierusers=OfficeActivitywhereOperationin("AddedToSecureLink","SecureLinkCreated","SecureLinkUpdated")TargetUserOrGroupType=="Guest"orTargetUserOrGroupNamecontains"#ext#"make-seriesGuestFileShares=count()onTimeGeneratedfromstartofday(ago(startdate))tostartofday(ago(enddate))steptimeframebyUserIdextendoutliers=series_decompose_anomalies(GuestFileSharessensitivity)mv-expandTimeGeneratedGuestFileSharesoutlierswhereoutliers==1andGuestFileShares>thresholddistinctUserIdrendertimechartwith(ytitle="Share Count",title="Anomalous Files Shared to Guests")