Query Details
Office Activity Share Point Downloads By New IP
Query
let query_frequency = 1d;
let query_period = 14d;
let monitored_operations = dynamic(["FileDownloaded", "FileSyncDownloadedFull"]);
let operation_threshold = 10;
let file_threshold = 1;
let _ExpectedLocations = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "CorporateGeolocation"
| summarize make_list(Auxiliar)
);
let _CountryCodes =
_GetWatchlist("Code-GeoNamesCountryCodes")
| project Country, Location = ISO
;
let _DefaultSharePointAdministrators = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "SharePointAdministrator" and Notes has "[Default]"
| summarize make_list(ActorPrincipalName)
);
let _ExpectedMachineDomainInfo = toscalar(
_GetWatchlist("UUID-AADTenantIds")
| where Notes has "[MachineDomainInfoHomeTenant]"
| summarize make_list(tostring(TenantId))
);
let _ExpectedDomain = toscalar(
_GetWatchlist("UUID-AADTenantIds")
| where Notes has "[HomeTenant]"
| summarize make_list(strcat("@", Domain))
);
let _ExpectedIPRanges = dynamic([]);
OfficeActivity
| where TimeGenerated > ago(query_frequency)
| where Operation in (monitored_operations) and not(UserId in (_DefaultSharePointAdministrators))
| join kind=leftanti hint.strategy=shuffle (
OfficeActivity
| where TimeGenerated between(ago(query_period) .. ago(query_frequency))
| where Operation in (monitored_operations) and not(UserId in (_DefaultSharePointAdministrators))
| distinct ClientIP
) on ClientIP
| as _FileOperations
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
Operations = make_set(Operation),
FileCount = dcount(OfficeObjectId),
Files = make_set(OfficeObjectId, 250),
take_any(MachineDomainInfo)
by UserId, ClientIP, MachineId, OfficeWorkload, Site_Url
| lookup kind=leftouter (
_FileOperations
| summarize OperationCount = count() by ClientIP
) on ClientIP
| where OperationCount > operation_threshold or FileCount > file_threshold
// Remove operations from expected devices
| where not(MachineDomainInfo in (_ExpectedMachineDomainInfo) or (isnotempty(parse_ipv4(ClientIP)) and ipv4_is_in_any_range(ClientIP, _ExpectedIPRanges)))
// Add geolocation from IP address
| extend Country = tostring(geo_info_from_ip_address(ClientIP)["country"])
| lookup kind=leftouter _CountryCodes on Country
// Remove home tenant users from expected locations
| where not(Location in (_ExpectedLocations) and UserId has_any (_ExpectedDomain))
| project
StartTime,
EndTime,
OfficeWorkload,
UserId,
ClientIP,
Location,
MachineDomainInfo,
OperationCount,
Operations,
Site_Url,
FileCount,
Files
Explanation
This query is designed to monitor and analyze specific activities in an Office 365 environment over a certain period of time. It focuses on two operations: "FileDownloaded" and "FileSyncDownloadedFull".
The query first defines several parameters such as the frequency and period of the query, the operations to be monitored, and various thresholds. It then retrieves several lists of expected or default values from different watchlists, such as expected locations, country codes, SharePoint administrators, machine domain info, and domain.
The main part of the query retrieves Office 365 activity data, filters it based on the defined parameters and operations, and excludes activities from default SharePoint administrators. It also excludes activities from IP addresses that were active in the past but are not currently active.
The query then summarizes the data by user, IP address, machine ID, Office workload, and site URL, and counts the number of operations and distinct files involved. It also checks if the operations exceed the defined thresholds.
Next, the query removes operations from expected devices and adds geolocation information based on the IP address. It also removes activities from users in expected locations.
Finally, the query projects the results, displaying the start and end time of the activities, the Office workload, user ID, IP address, location, machine domain info, operation count, operations, site URL, file count, and files.
Details
Jose Sebastián Canós
Released: August 25, 2023
Tables
Keywords
Operators