Nov 13 2022 02:08 PM
Hi all,
Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files?
At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site:
// Users accessing files
// Users sorted by number of OneDrive and SharePoint files they accessed.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last
Nov 14 2022 02:55 AM
Nov 14 2022 03:59 AM
You can also look in the SIgninLogs, there are a few similar use cases in the Github: Azure-Sentinel/SuccessThenFail_SameUserDiffApp.yaml at 8f1a743d443059178fa30f3e779ea71940c5757f · Az...
Or a simple example you can look at?
// failures
SigninLogs
| where ResultType !="0"
| where AppDisplayName in ("Office 365 SharePoint Online")
| project FailedLogonTime = TimeGenerated, UserId =UserPrincipalName, IPAddress , FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription
| join
(
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last
) on UserId
If nothing else, you'd see other errors inc. Conditional Access ones (as mentioned in the other reply)
Nov 16 2022 12:44 AM - edited Nov 16 2022 12:55 AM
Thank you for your help and advice.
@ClaudiaBothe, I forgot to mention that, but we don't have any conditional policy that regulates access permissions. However, that could potentially be an alternative if we don't figure out how to accomplish the initial idea.
Thank you
Nov 16 2022 02:41 AM
@sdedic actually I don't think you will get your required result without using conditional access policies as foundation. Have a look here how to develop those policies with defender for cloud apps: https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad