M365 SharePoint Site Sharing Policy Weakened
editM365 SharePoint Site Sharing Policy Weakened
editIdentifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.
Rule type: query
Rule indices:
- filebeat-*
- logs-o365.audit-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
- Austin Songer
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating M365 SharePoint Site Sharing Policy Weakened
This rule detects when SharePoint or OneDrive sharing policies are modified to weaken security controls. The SharingPolicyChanged event captures modifications to site-level sharing settings stored in ModifiedProperties, where the setting name is a dynamic field key and OldValue/NewValue track the transition. This rule targets specific transitions that represent a security posture degradation. Note that Microsoft uses inconsistent keyword value formats across settings, some use True/False while others use Enabled/Disabled.
Possible Investigation Steps
-
Identify the user who performed the change via
user.idand determine if they have a legitimate administrative role. -
Check if the acting user is a service principal (e.g.,
ServiceOperator,app@sharepoint) or a human account. Service principal changes may indicate automated processes or compromised application credentials. -
Review which specific setting was changed by examining the
o365.audit.ModifiedProperties.*fields: - ShareWithGuests: Guest/external sharing was enabled on the site. External users can now be invited to access content.
- ShareUsingAnonymousLinks: Anonymous "Anyone" link sharing was enabled. Content can now be shared via unauthenticated links.
- IsPublic: The site or group was changed from private to public visibility.
- AllowGuestUser: Guest user access was enabled for the site.
- AllowFederatedUsers: Federated (external organization) user access was enabled.
- AllowTeamsConsumer: Teams personal account (consumer) user access was enabled.
-
Identify the affected site via
o365.audit.ObjectId(the site URL) and assess the sensitivity of its content. - Review Azure AD / Entra ID sign-in logs for the acting account to check for authentication anomalies (unusual location, device code flow, new device).
-
Look for subsequent sharing activity on the same site —
SharingSet,AnonymousLinkCreated,SharingInvitationCreated, or file download events shortly after the policy change. - Determine if the change was part of a planned change request or occurred outside of normal change windows.
False Positive Analysis
- IT administrators enabling external sharing for legitimate collaboration needs. Correlate with change management tickets or Slack/Teams messages.
- Automated provisioning scripts that configure sharing settings during site creation. These typically use service principal accounts with predictable patterns.
-
Microsoft service operations (
ServiceOperator) may modify settings as part of tenant-level policy propagation.
Response and Remediation
- If the change is unauthorized, immediately revert the sharing policy to its previous restrictive state.
- Revoke sessions and reset credentials for the compromised account.
-
Review what content was accessed or shared after the policy change using
FileAccessed,FileDownloaded, and sharing audit events. - Audit all sites for similar unauthorized sharing policy changes.
- Implement Conditional Access policies to restrict administrative actions to trusted networks and compliant devices.
- Enable Privileged Identity Management (PIM) for SharePoint administrator roles to enforce just-in-time access.
Rule query
editevent.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and
event.action: "SharingPolicyChanged" and event.outcome: "success" and
(
(o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.IsPublic.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.IsPublic.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or "Disabled"))
or
(o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or "Enabled") and
o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or "Disabled"))
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/