Managed Sentinel – Alert 077
| Alert ID | MS-A077 |
| Alert Name | Office 365 Anonymous SharePoint Link Created |
| Description | This alert detects when an anonymous link was created in Sharepoint. The anonymous link allow access to the shared document without any credentials. |
| Severity Level | Informational |
| Threat Indicator | Elevation of Privilege |
| MITRE ATT&CK Tactics | Initial Access Exfiltration |
| Log sources | Office 365 |
| False Positive | |
| Recommendations | 1. Investigate the Sharepoint resource file/folder shared with external party. Understand the sensitivity of data shared outside of organization. 2. Investigate the Sharepoint link owner/originator in terms of O365 account. 3. If applicable, engage Human Resources department to perform an investigation in regards to confidential data leaked outside of organization. 4. Remove Anonymous Sharepoint link 5. Collect evidence (logs) to support HR investigation 6. Perform a full EDR on the machine on where the user account who created the Sharepoint link (potential malware running on the machine) |