Query Details
RULE 13 M365 Share Point Site Admin Added
Query
// Rule : M365 - SharePoint Site Collection Admin Added (Privilege Escalation)
// Severity: High
// Tactics : PrivilegeEscalation, Persistence
// MITRE : T1098 (Account Manipulation), T1078.004
// Freq : PT1H Period: PT1H
// Description: Detects when a user is added as Site Collection Administrator on a
// SharePoint site, particularly for sites with sensitive naming patterns
// or when the actor is not a known Global Admin.
//==========================================================================================
let LookbackPeriod = 1h;
let SensitiveSitePatterns = dynamic([
"hr", "legal", "finance", "exec", "security", "payroll",
"board", "audit", "compliance", "m&a", "merger"
]);
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "SharePoint"
| where Operation in (
"SiteCollectionAdminAdded", "PermissionLevelAdded",
"SiteCollectionCreated", "GroupMemberAdded")
| extend
TargetUser = tostring(parse_json(TargetUserOrGroupName)),
RoleAssigned = tostring(parse_json(EventData).RoleAssignment),
SiteLower = tolower(SiteUrl)
| extend
IsSiteAdmin = Operation == "SiteCollectionAdminAdded"
or RoleAssigned has "Full Control"
or RoleAssigned has "Site Collection Administrator",
IsSensitiveSite = SiteLower has_any (SensitiveSitePatterns),
IsGuest = TargetUser has "#EXT#" or TargetUser has "guest"
| where IsSiteAdmin or IsSensitiveSite
| project
TimeGenerated,
ActorUserId = UserId,
TargetUser,
SiteUrl,
Operation,
RoleAssigned,
ClientIP,
IsSiteAdmin,
IsSensitiveSite,
IsGuest,
AlertSeverity = case(
IsGuest and IsSiteAdmin, "Critical",
IsSensitiveSite and IsSiteAdmin, "High",
IsSiteAdmin, "Medium",
"Low")
Explanation
This query is designed to monitor and detect potential privilege escalation activities within Microsoft 365 SharePoint environments. Specifically, it focuses on identifying when a user is added as a Site Collection Administrator, which is a high-level permission that can indicate a security risk if misused.
Here's a simple breakdown of what the query does:
-
Time Frame: It looks at activities within the last hour.
-
Sensitive Sites: It checks for activities on SharePoint sites with names that suggest they contain sensitive information, such as "hr," "legal," "finance," etc.
-
Operations Monitored: It filters for specific operations like adding a Site Collection Admin, adding permission levels, creating a site collection, or adding a group member.
-
Role and Site Checks:
- It determines if the operation involved assigning a high-level role like Site Collection Administrator or Full Control.
- It checks if the site involved is considered sensitive based on its name.
- It identifies if the user added is a guest or external user.
-
Alert Generation: Based on the findings, it assigns a severity level to the event:
- "Critical" if a guest user is made a Site Collection Admin.
- "High" if a Site Collection Admin is added to a sensitive site.
- "Medium" for other Site Collection Admin additions.
- "Low" for all other cases.
The query helps in quickly identifying and prioritizing potential security threats related to unauthorized privilege escalations in SharePoint.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators