M365 SharePoint Site Sharing Policy Weakened

  1[metadata]
  2creation_date = "2026/02/27"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/02/27"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The
 11SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk
 12transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link
 13sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may
 14weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.
 15"""
 16false_positives = [
 17    "Administrators legitimately enabling external sharing for a new collaboration site or project.",
 18    "Organizational policy changes that intentionally broaden sharing capabilities across sites.",
 19    "Migration or onboarding projects that temporarily require external sharing to be enabled.",
 20]
 21from = "now-9m"
 22index = ["filebeat-*", "logs-o365.audit-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "M365 SharePoint Site Sharing Policy Weakened"
 26note = """## Triage and Analysis
 27
 28### Investigating M365 SharePoint Site Sharing Policy Weakened
 29
 30This rule detects when SharePoint or OneDrive sharing policies are modified to weaken security controls. The `SharingPolicyChanged` event captures modifications to site-level sharing settings stored in `ModifiedProperties`, where the setting name is a dynamic field key and `OldValue`/`NewValue` track the transition. This rule targets specific transitions that represent a security posture degradation. Note that Microsoft uses inconsistent keyword value formats across settings, some use `True`/`False` while others use `Enabled`/`Disabled`.
 31
 32#### Possible Investigation Steps
 33
 34- Identify the user who performed the change via `user.id` and determine if they have a legitimate administrative role.
 35- Check if the acting user is a service principal (e.g., `ServiceOperator`, `app@sharepoint`) or a human account. Service principal changes may indicate automated processes or compromised application credentials.
 36- Review which specific setting was changed by examining the `o365.audit.ModifiedProperties.*` fields:
 37    - ShareWithGuests: Guest/external sharing was enabled on the site. External users can now be invited to access content.
 38    - ShareUsingAnonymousLinks: Anonymous "Anyone" link sharing was enabled. Content can now be shared via unauthenticated links.
 39    - IsPublic: The site or group was changed from private to public visibility.
 40    - AllowGuestUser: Guest user access was enabled for the site.
 41    - AllowFederatedUsers: Federated (external organization) user access was enabled.
 42    - AllowTeamsConsumer: Teams personal account (consumer) user access was enabled.
 43- Identify the affected site via `o365.audit.ObjectId` (the site URL) and assess the sensitivity of its content.
 44- Review Azure AD / Entra ID sign-in logs for the acting account to check for authentication anomalies (unusual location, device code flow, new device).
 45- Look for subsequent sharing activity on the same site — `SharingSet`, `AnonymousLinkCreated`, `SharingInvitationCreated`, or file download events shortly after the policy change.
 46- Determine if the change was part of a planned change request or occurred outside of normal change windows.
 47
 48### False Positive Analysis
 49
 50- IT administrators enabling external sharing for legitimate collaboration needs. Correlate with change management tickets or Slack/Teams messages.
 51- Automated provisioning scripts that configure sharing settings during site creation. These typically use service principal accounts with predictable patterns.
 52- Microsoft service operations (`ServiceOperator`) may modify settings as part of tenant-level policy propagation.
 53
 54### Response and Remediation
 55
 56- If the change is unauthorized, immediately revert the sharing policy to its previous restrictive state.
 57- Revoke sessions and reset credentials for the compromised account.
 58- Review what content was accessed or shared after the policy change using `FileAccessed`, `FileDownloaded`, and sharing audit events.
 59- Audit all sites for similar unauthorized sharing policy changes.
 60- Implement Conditional Access policies to restrict administrative actions to trusted networks and compliant devices.
 61- Enable Privileged Identity Management (PIM) for SharePoint administrator roles to enforce just-in-time access.
 62"""
 63references = [
 64    "https://learn.microsoft.com/en-us/purview/audit-log-activities#site-administration-activities",
 65    "https://learn.microsoft.com/en-us/purview/audit-log-sharing",
 66    "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off",
 67]
 68risk_score = 47
 69rule_id = "632906c6-ba8f-44c0-8386-ec0bbc8518bf"
 70severity = "medium"
 71tags = [
 72    "Domain: Cloud",
 73    "Domain: SaaS",
 74    "Data Source: Microsoft 365",
 75    "Data Source: Microsoft 365 Audit Logs",
 76    "Use Case: Threat Detection",
 77    "Tactic: Defense Evasion",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "query"
 82
 83query = '''
 84event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and
 85    event.action: "SharingPolicyChanged" and event.outcome: "success" and
 86    (
 87        (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and
 88            o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or "Disabled"))
 89        or
 90        (o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or "Enabled") and
 91            o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or "Disabled"))
 92        or
 93        (o365.audit.ModifiedProperties.IsPublic.NewValue: (true or "Enabled") and
 94            o365.audit.ModifiedProperties.IsPublic.OldValue: (false or "Disabled"))
 95        or
 96        (o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or "Enabled") and
 97            o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or "Disabled"))
 98        or
 99        (o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or "Enabled") and
100            o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or "Disabled"))
101        or
102        (o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or "Enabled") and
103            o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or "Disabled"))
104    )
105'''
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1562"
112name = "Impair Defenses"
113reference = "https://attack.mitre.org/techniques/T1562/"
114[[rule.threat.technique.subtechnique]]
115id = "T1562.001"
116name = "Disable or Modify Tools"
117reference = "https://attack.mitre.org/techniques/T1562/001/"
118
119[rule.threat.tactic]
120id = "TA0005"
121name = "Defense Evasion"
122reference = "https://attack.mitre.org/tactics/TA0005/"