Forum Discussion

sdedic's avatar
sdedic
Copper Contributor
Nov 13, 2022

Send Alert When File in SharePoint is Being Accessed

Hi all,

 

Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files?

At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site:

// Users accessing files
// Users sorted by number of OneDrive and SharePoint files they accessed.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

 

alerts
automation
investigation
KQL
kusto
Log Data
solutions

4 Replies

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Nov 14, 2022

    sdedic 

    You can also look in the SIgninLogs, there are a few similar use cases in the Github: Azure-Sentinel/SuccessThenFail_SameUserDiffApp.yaml at 8f1a743d443059178fa30f3e779ea71940c5757f · Azure/Azure-Sentinel (github.com)

    Or a simple example you can look at?

    // failures
SigninLogs
| where ResultType !="0"
| where AppDisplayName in ("Office 365 SharePoint Online")
| project FailedLogonTime = TimeGenerated, UserId =UserPrincipalName, IPAddress , FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription
| join 
(
    OfficeActivity
    | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
    | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
    | sort by AccessedFilesCount desc nulls last
) on UserId

     If nothing else, you'd see other errors inc. Conditional Access ones (as mentioned in the other reply)

     

  • ClaudiaBothe's avatar
    ClaudiaBothe
    Copper Contributor
    Nov 14, 2022
    Hi sdedic, it's not clear to me if you're using conditional access policies already to regulate access permissions. If so, I'd start by looking into those reports where policies "failed", i.e. somebody tried to access the files while not having the permission. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting
    • sdedic's avatar
      sdedic
      Copper Contributor
      Nov 16, 2022

      Thank you for your help and advice.

       

      ClaudiaBothe, I forgot to mention that, but we don't have any conditional policy that regulates access permissions. However, that could potentially be an alternative if we don't figure out how to accomplish the initial idea.

       

      Thank you

      • ClaudiaBothe's avatar
        ClaudiaBothe
        Copper Contributor
        Nov 16, 2022

        sdedic actually I don't think you will get your required result without using conditional access policies as foundation. Have a look here how to develop those policies with defender for cloud apps: https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad 

Resources