Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when a user shares a Microsoft 365 Sharepoint document with a guest.

Strategy

This rule monitors the Microsoft 365 logs for the event name SharingInvitationCreated when the TargetUserOrGroupType is Guest.

Triage and response

Determine whether this document should be shared with the external user.