yaya2devops/new_SHAREPOINT_downloads_by_IP.yml

## new_SHAREPOINT_downloads_by_IP.yml
id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
name: SharePointFileOperation via previously unseen IPs
description: |
  'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity.
  In stable environments such connections by new IPs may be unauthorized, especially if associated with
  spikes in volume which could be associated with large-scale document exfiltration.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (SharePoint)
tactics:
  - Exfiltration
relevantTechniques:
  - T1030
query: |
  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let lookback = starttime - 14d;
  let BLOCK_THRESHOLD = 1.0;
  let HighBlockRateASNs =
  SigninLogs
  | where TimeGenerated > lookback
  | where isnotempty(AutonomousSystemNumber)
  | summarize make_set(IPAddress), TotalIps = dcount(IPAddress), BlockedSignins= countif(ResultType == "50053"), TotalSignins = count() by AutonomousSystemNumber
  | extend BlockRatio = 1.00 * BlockedSignins/TotalSignins
  | where BlockRatio >= BLOCK_THRESHOLD
  | distinct AutonomousSystemNumber
  ;
  let ASNIPs=
  SigninLogs
  | where TimeGenerated > lookback
  | where AutonomousSystemNumber in (HighBlockRateASNs)
  | distinct IPAddress, AutonomousSystemNumber
  ;
  OfficeActivity
  | where TimeGenerated between(starttime .. endtime)
  | where  RecordType == "SharePointFileOperation"
  | where Operation in ("FileDownloaded", "FileUploaded")
  | where ClientIP in (ASNIPs)
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities = count() by ClientIP
  | extend timestamp = StartTime, IPCustomEntity = ClientIP
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
	id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
	name: SharePointFileOperation via previously unseen IPs
	description: \|
	'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity.
	In stable environments such connections by new IPs may be unauthorized, especially if associated with
	spikes in volume which could be associated with large-scale document exfiltration.'
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- SigninLogs
	- connectorId: Office365
	dataTypes:
	- OfficeActivity (SharePoint)
	tactics:
	- Exfiltration
	relevantTechniques:
	- T1030
	query: \|
	let starttime = todatetime('{{StartTimeISO}}');
	let endtime = todatetime('{{EndTimeISO}}');
	let lookback = starttime - 14d;
	let BLOCK_THRESHOLD = 1.0;
	let HighBlockRateASNs =
	SigninLogs
	\| where TimeGenerated > lookback
	\| where isnotempty(AutonomousSystemNumber)
	\| summarize make_set(IPAddress), TotalIps = dcount(IPAddress), BlockedSignins= countif(ResultType == "50053"), TotalSignins = count() by AutonomousSystemNumber
	\| extend BlockRatio = 1.00 * BlockedSignins/TotalSignins
	\| where BlockRatio >= BLOCK_THRESHOLD
	\| distinct AutonomousSystemNumber
	;
	let ASNIPs=
	SigninLogs
	\| where TimeGenerated > lookback
	\| where AutonomousSystemNumber in (HighBlockRateASNs)
	\| distinct IPAddress, AutonomousSystemNumber
	;
	OfficeActivity
	\| where TimeGenerated between(starttime .. endtime)
	\| where RecordType == "SharePointFileOperation"
	\| where Operation in ("FileDownloaded", "FileUploaded")
	\| where ClientIP in (ASNIPs)
	\| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities = count() by ClientIP
	\| extend timestamp = StartTime, IPCustomEntity = ClientIP
	entityMappings:
	- entityType: IP
	fieldMappings:
	- identifier: Address
	columnName: IPCustomEntity