Managed Sentinel – Alert 077

Alert IDMS-A077
Alert NameOffice 365 Anonymous SharePoint Link Created
DescriptionThis alert detects when an anonymous link was created in Sharepoint. The anonymous link allow access to the shared document without any credentials.
Severity LevelInformational
Threat IndicatorElevation of Privilege
MITRE ATT&CK TacticsInitial Access
Log sourcesOffice 365
False Positive
Recommendations1. Investigate the Sharepoint resource file/folder shared with external party. Understand the sensitivity of data shared outside of organization.
2. Investigate the Sharepoint link owner/originator in terms of O365 account.
3. If applicable, engage Human Resources department to perform an investigation in regards to confidential data leaked outside of organization.
4. Remove Anonymous Sharepoint link
5. Collect evidence (logs) to support HR investigation
6. Perform a full EDR on the machine on where the user account who created the Sharepoint link (potential malware running on the machine)