This alert detects when an anonymous link created in Sharepoint has been used. The anonymous link allow access to the shared document without any credentials.
Elevation of Privilege
MITRE ATT&CK Tactics
1. Investigate the Sharepoint resource file/folder shared with external party. Understand the sensitivity of data shared outside of organization.
2. Investigate the Sharepoint link owner/originator in terms of O365 account.
3. If applicable, engage Human Resources department to perform an investigation in regards to confidential data leaked outside of organization.
4. Remove Anonymous Sharepoint link
5. Collect evidence (logs) to support HR investigation
6. Perform a full EDR on the machine on where the user account who created the Sharepoint link (potential malware running on the machine)