SharePointFileOperation via devices with previously unseen user agents

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Tracking via user agent is one way to differentiate between types of connecting device. In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.

Attribute	Value
Type	Hunting Query
Solution	Microsoft 365
ID	f2367171-1514-4c67-88ef-27434b6a1093
Tactics	Exfiltration
Techniques	T1030
Required Connectors	AzureActiveDirectory, Office365
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
OfficeActivity	Operation in "FileDownloaded,FileUploaded" RecordType == "SharePointFileOperation"	✓	✗	✓
SigninLogs		✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to Microsoft 365