Query Details
Office Activity Multiple Files Sharedto Guests
Query
//Detect when a user shares multiple files to Azure AD guests over a short time frame.
//Data connector required for this query - Office 365
//Define a time period to check and the threshold of how many files to alert on.
//In this example it would detect when a user shares 10 or more files to a guest within 30 minutes
let timeframe=30m;
let threshold=10;
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation in ("SecureLinkCreated", "AddedToSecureLink")
| where TargetUserOrGroupType == "Guest" or TargetUserOrGroupName contains "#EXT#"
| summarize
['File Share Count']=dcount(OfficeObjectId),
['List of Files']=make_set(OfficeObjectId)
by UserId, bin(TimeGenerated, timeframe)
| where ['File Share Count'] >= thresholdExplanation
This query is used to detect when a user shares multiple files to Azure AD guests within a short time frame. It uses the Office 365 data connector. The query defines a time period (30 minutes) and a threshold (10 files) to check for. It filters the OfficeActivity data for specific operations related to file sharing with guests. It then summarizes the data by user and time frame, counting the number of files shared and creating a list of the file IDs. Finally, it filters the results to only include users who have shared at least the specified threshold number of files.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
User,AzureAD,Guests,Files,TimeFrame
Operators
| where| let| OfficeActivity| TimeGenerated| ago| where| Operation| in| TargetUserOrGroupType| TargetUserOrGroupName| contains| summarize| dcount| make_set| by| bin| >=