Managed Sentinel – Alert 008
| Alert ID | MS-A008 |
| Alert Name | Sharepoint site permission modifications |
| Description | This alert will trigger when some suspicious modifications are done to Sharepoint sites, which are not recognized by the O365 admins |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Execution Privilege Escalation |
| Log sources | Office 365 |
| False Positives | Sharepoint applications |
| Recommendations | 1. Review Sharepoint changes via Azure Sentinel console and identify users and activities completed to the affected Sharepoint site 2. If change is not an internal approved change, perform an investigation based on userID and source IP. 3. Understand if any other changes were completed in the same interval to other internal systems (lateral movement) 4. Collect evidence, logs for future investigation 5. Rollback the changes from Sharepoint site 6. Disable in scope user account |