DET0500 Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users

Item	Value
ID	DET0500
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1213.002 (Sharepoint)

Analytics

Windows

AN1380

Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	m365:unified	FileAccessed, FileDownloaded, SearchQueried
Logon Session Creation (DC0067)	azure:signinlogs	UserLogin, ConditionalAccessPolicyEvaluated
Cloud Service Metadata (DC0070)	m365:sharepoint	Multiple file download operations on a site by a privileged account in a short time window

Mutable Elements

Field	Description
UserContext	Can be adjusted to focus on specific high-privilege or rarely-used service accounts
TimeWindow	Defines the aggregation period for multiple download events (e.g., 10 minutes)
DownloadThreshold	Minimum number of documents accessed/downloaded to trigger alert
SiteScope	Limit detection to sensitive SharePoint sites such as HR, Finance, Engineering