Managed Sentinel – Alert 011
|Alert Name||Office 365 Anonymous SharePoint Link used|
|Description||This alert detects when an anonymous link created in Sharepoint has been used. The anonymous link allow access to the shared document without any credentials.|
|Threat Indicator||Elevation of Privilege|
|MITRE ATT&CK Tactics||Initial Access|
|Log sources||Office 365|
|Recommendations||1. Investigate the Sharepoint resource file/folder shared with external party. Understand the sensitivity of data shared outside of organization.|
2. Investigate the Sharepoint link owner/originator in terms of O365 account.
3. If applicable, engage Human Resources department to perform an investigation in regards to confidential data leaked outside of organization.
4. Remove Anonymous Sharepoint link
5. Collect evidence (logs) to support HR investigation
6. Perform a full EDR on the machine on where the user account who created the Sharepoint link (potential malware running on the machine)