cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Send Alert When File in SharePoint is Being Accessed

sdedic
Copper Contributor

‎Nov 13 2022 02:08 PM

‎Nov 13 2022 02:08 PM

Send Alert When File in SharePoint is Being Accessed

Hi all,

 

Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files?

At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site:

// Users accessing files
// Users sorted by number of OneDrive and SharePoint files they accessed.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

 

2,656 Views
0 Likes
4 Replies
Reply
4 Replies
ClaudiaBothe

‎Nov 14 2022 02:55 AM

‎Nov 14 2022 02:55 AM

Re: Send Alert When File in SharePoint is Being Accessed

Hi sdedic, it's not clear to me if you're using conditional access policies already to regulate access permissions. If so, I'd start by looking into those reports where policies "failed", i.e. somebody tried to access the files while not having the permission. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...
0 Likes
Reply
Clive_Watson

‎Nov 14 2022 03:59 AM

‎Nov 14 2022 03:59 AM

Re: Send Alert When File in SharePoint is Being Accessed

@sdedic 

You can also look in the SIgninLogs, there are a few similar use cases in the Github: Azure-Sentinel/SuccessThenFail_SameUserDiffApp.yaml at 8f1a743d443059178fa30f3e779ea71940c5757f · Az...

Or a simple example you can look at?

// failures
SigninLogs
| where ResultType !="0"
| where AppDisplayName in ("Office 365 SharePoint Online")
| project FailedLogonTime = TimeGenerated, UserId =UserPrincipalName, IPAddress , FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription
| join 
(
    OfficeActivity
    | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
    | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
    | sort by AccessedFilesCount desc nulls last
) on UserId

 If nothing else, you'd see other errors inc. Conditional Access ones (as mentioned in the other reply)

Clive_Watson_0-1668427095935.png

 

0 Likes
Reply
sdedic

‎Nov 16 2022 12:44 AM - edited ‎Nov 16 2022 12:55 AM

‎Nov 16 2022 12:44 AM - edited ‎Nov 16 2022 12:55 AM

Re: Send Alert When File in SharePoint is Being Accessed

Thank you for your help and advice.

 

@ClaudiaBothe, I forgot to mention that, but we don't have any conditional policy that regulates access permissions. However, that could potentially be an alternative if we don't figure out how to accomplish the initial idea.

 

Thank you

0 Likes
Reply
ClaudiaBothe

‎Nov 16 2022 02:41 AM

‎Nov 16 2022 02:41 AM

Re: Send Alert When File in SharePoint is Being Accessed

@sdedic actually I don't think you will get your required result without using conditional access policies as foundation. Have a look here how to develop those policies with defender for cloud apps: https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad 

0 Likes
Reply