Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | FileAccessed, FileDownloaded, SearchQueried |
| Logon Session Creation (DC0067) | azure:signinlogs | UserLogin, ConditionalAccessPolicyEvaluated |
| Cloud Service Metadata (DC0070) | m365:sharepoint | Multiple file download operations on a site by a privileged account in a short time window |
| Field | Description |
|---|---|
| UserContext | Can be adjusted to focus on specific high-privilege or rarely-used service accounts |
| TimeWindow | Defines the aggregation period for multiple download events (e.g., 10 minutes) |
| DownloadThreshold | Minimum number of documents accessed/downloaded to trigger alert |
| SiteScope | Limit detection to sensitive SharePoint sites such as HR, Finance, Engineering |