Send Alert When File in SharePoint is Being Accessed

New Contributor

Hi all,

 

Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files?

At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site:

// Users accessing files
// Users sorted by number of OneDrive and SharePoint files they accessed.
OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

 

4 Replies
Hi sdedic, it's not clear to me if you're using conditional access policies already to regulate access permissions. If so, I'd start by looking into those reports where policies "failed", i.e. somebody tried to access the files while not having the permission. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...

@sdedic 

You can also look in the SIgninLogs, there are a few similar use cases in the Github: Azure-Sentinel/SuccessThenFail_SameUserDiffApp.yaml at 8f1a743d443059178fa30f3e779ea71940c5757f · Az...

Or a simple example you can look at?

// failures
SigninLogs
| where ResultType !="0"
| where AppDisplayName in ("Office 365 SharePoint Online")
| project FailedLogonTime = TimeGenerated, UserId =UserPrincipalName, IPAddress , FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription
| join 
(
    OfficeActivity
    | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
    | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
    | sort by AccessedFilesCount desc nulls last
) on UserId

 If nothing else, you'd see other errors inc. Conditional Access ones (as mentioned in the other reply)

Clive_Watson_0-1668427095935.png

 

Thank you for your help and advice.

 

@ClaudiaBothe, I forgot to mention that, but we don't have any conditional policy that regulates access permissions. However, that could potentially be an alternative if we don't figure out how to accomplish the initial idea.

 

Thank you

@sdedic actually I don't think you will get your required result without using conditional access policies as foundation. Have a look here how to develop those policies with defender for cloud apps: https://learn.microsoft.com/en-us/defender-cloud-apps/access-policy-aad