Techniques
Sample rules
M365 SharePoint Site Sharing Policy Weakened
- source: elastic
- technicques:
- T1562
Description
Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.
Detection logic
event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and
event.action: "SharingPolicyChanged" and event.outcome: "success" and
(
(o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.IsPublic.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.IsPublic.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or "Disabled"))
)