
Summary
This threat detection rule identifies when a secure link is created in SharePoint Online or OneDrive for Business, which signifies a potential security vulnerability. Secure links are used to share files and folders, allowing users to access content easily. However, if these links are mismanaged or abused by threat actors, they can lead to unauthorized access to sensitive data and information exfiltration. The detection logic involves querying O365 audit logs for events associated with the creation of secure links, aggregating various fields to analyze user behavior and potential security incidents effectively.
Categories
- Cloud
- Application
Data Sources
- Cloud Service
- Application Log
ATT&CK Techniques
- T1567.002
- T1530
Created: 2024-10-11