Managed Sentinel – Alert 008

Alert IDMS-A008
Alert NameSharepoint site permission modifications
DescriptionThis alert will trigger when some suspicious modifications are done to Sharepoint sites, which are not recognized by the O365 admins
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Priviledge Escalation
Log sourcesOffice 365
False PositivesSharepoint applications
Recommendations1. Review Sharepoint changes via Azure Sentinel console and identify users and activities completed to the affected Sharepoint site
2. If change is not an internal approved change, perform an investigation based on userID and source IP.
3. Understand if any other changes were completed in the same interval to other internal systems (lateral movement)
4. Collect evidence, logs for future investigation
5. Rollback the changes from Sharepoint site
6. Disable in scope user account