SharePoint Site Collection admin group addition

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Roles (T1098.003)

Severity

Informational

Description

A user made an addition to the site collection administrators group in SharePoint.

Attacker's Goals

Elevate permissions and establish persistence.

Investigative actions

  • Check the IP address from which the access originated.
  • Verify the activity with the performing user.
  • Follow further actions done by the account.

Variations

SharePoint site collection admin added to personal site

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Roles (T1098.003)

Severity

Informational

Description

A user was added as a site collection admin to a personal site, indicating that the user has accessed the SharePoint service for the first time.

Attacker's Goals

Elevate permissions and establish persistence.

Investigative actions

  • Check the IP address from which the access originated.
  • Verify the activity with the performing user.
  • Follow further actions done by the account.


Abnormal SharePoint Site Collection admin group addition

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Roles (T1098.003)

Severity

Low

Description

A user made an addition to the site collection administrators group in SharePoint. This user has not made any SharePoint site admin additions over the past 30 days.

Attacker's Goals

Elevate permissions and establish persistence.

Investigative actions

  • Check the IP address from which the access originated.
  • Verify the activity with the performing user.
  • Follow further actions done by the account.