KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 09 M365 Share Point Anonymous Link Sensitive File

Query

// Rule    : M365 - SharePoint / OneDrive Anonymous Sharing Link Created for Sensitive File
// Severity: High
// Tactics : Exfiltration, Collection
// MITRE   : T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage),
//           T1078.004
// Freq    : PT1H   Period: PT1H
// Description: Detects creation of anonymous sharing links (Anyone links) on files
//              that carry a sensitivity label of Confidential or higher, or that reside
//              in sites flagged as sensitive.
//==========================================================================================

let LookbackPeriod = 1h;
let SensitiveLabels = dynamic([
    "Confidential", "Highly Confidential", "Top Secret", "Restricted"
]);
let SensitiveSitePatterns = dynamic([
    "hr", "legal", "finance", "exec", "security", "payroll", "board"
]);

OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in (
    "AnonymousLinkCreated", "SharingLinkCreated",
    "AddedToSecureLink", "SecureLinkUsed")
| extend
    SharingType      = tostring(parse_json(EventData).SharingType),
    LinkScope        = tostring(parse_json(EventData).LinkScope),
    TargetUserOrGroup = tostring(parse_json(EventData).TargetUserOrGroup),
    SiteLower        = tolower(SiteUrl)
| extend
    IsAnonymous      = (SharingType == "AnonymousAccess" or LinkScope == "Anyone"),
    IsSensitiveSite  = SiteLower has_any (SensitiveSitePatterns)
| where IsAnonymous or IsSensitiveSite
| project
    TimeGenerated,
    UserId,
    ClientIP,
    SourceFileName,
    SiteUrl,
    ObjectId,
    Operation,
    SharingType,
    TargetUserOrGroup,
    IsAnonymous,
    IsSensitiveSite,
    AlertSeverity = case(
        IsAnonymous and IsSensitiveSite, "Critical",
        IsAnonymous,                     "High",
        "Medium")

Explanation

This query is designed to detect potentially risky activities in Microsoft 365, specifically focusing on SharePoint and OneDrive. It looks for the creation of anonymous sharing links (also known as "Anyone links") for files that are either labeled as sensitive (such as "Confidential" or higher) or are located in sites considered sensitive (like HR, legal, or finance sites). The query checks activities from the past hour and flags them based on their risk level:

  1. Lookback Period: The query examines activities from the last hour.
  2. Sensitive Labels: It focuses on files labeled as "Confidential," "Highly Confidential," "Top Secret," or "Restricted."
  3. Sensitive Sites: It targets sites with URLs containing keywords like "hr," "legal," "finance," etc.
  4. Activity Types: It filters for activities related to creating or using sharing links.
  5. Anonymous Links: It identifies if the sharing type is anonymous or if the link is accessible by anyone.
  6. Risk Assessment:
    • If a file is shared anonymously and is from a sensitive site, it is marked as "Critical."
    • If it is only shared anonymously, it is marked as "High."
    • Otherwise, it is marked as "Medium."

The query outputs details such as the time of the activity, user ID, client IP, file name, site URL, and the severity of the alert.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

SharePointOneDriveFilesSitesLinksSensitivityLabelsConfidentialSecurityUserClientIP

Operators

letdynamicagoinextendtostringparse_jsontolowerhas_anyorprojectcase

Actions