AN1380: Analytic 1380
Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.
Analyst context for executives and security teams
This analytic matters because unusual bulk access to SharePoint content by privileged or rarely used accounts can be an early signal of scripted internal document collection. For leaders, the value is not just detecting file access volume; it is validating whether sensitive collaboration data, privileged identities, and audit logging are governed well enough to support fast investigation and containment.
Executive priority
Prioritize this where SharePoint contains regulated, contractual, executive, intellectual property, or operationally sensitive documents. The key business question is whether the organization can distinguish legitimate administrative or discovery activity from abnormal mass access by powerful or dormant accounts, and whether the resulting evidence is strong enough for incident response, compliance inquiries, and access governance decisions.
Technical view
SOC and detection teams should validate monitoring for privileged and rarely used accounts that access many SharePoint files or file metadata within a short time window. Because the ATT&CK object provides no detailed detection logic, thresholds, or relationships, teams should tune locally against normal administrative, migration, backup, eDiscovery, data governance, and search-indexing activity. The platform field is Windows, but the described behavior centers on SharePoint access, so local implementation should confirm which endpoint, identity, cloud, and collaboration logs are available and correlated.
Likely telemetry
- SharePoint file access and metadata access audit events
- Identity sign-in and authentication records for privileged and rarely used accounts
- Account privilege, role, and group membership data
- Baseline account activity history to identify rarely used accounts
- Administrative, eDiscovery, migration, backup, or automation job records that may explain bulk access
Detection direction
- Identify privileged accounts and accounts with historically low usage, then monitor for sudden high-volume SharePoint file or metadata access over short time windows.
- Tune volume and time-window thresholds using local baselines rather than fixed assumptions, because the official analytic does not provide detection logic.
- Reduce false positives by correlating with approved administrative work, migrations, eDiscovery, backup processes, retention tooling, and other sanctioned automation.
- Prioritize alerts involving sensitive SharePoint locations, unusual source systems, new access patterns, or accounts whose privileges exceed their normal business need.
- Validate that audit logs capture both file content access and metadata access; metadata-only collection may otherwise be missed.
Mitigation priorities
- Maintain strong inventory and ownership of privileged and rarely used accounts with regular access reviews.
- Apply least privilege to SharePoint repositories, especially sensitive document libraries and administrative roles.
- Require strong authentication and governance for privileged accounts, including controls appropriate for dormant or break-glass-style accounts.
- Define approved bulk-access workflows for migration, eDiscovery, backup, and governance activity so detections can separate expected from suspicious behavior.
- Retain SharePoint and identity audit logs long enough to support incident response and compliance evidence needs.
Analyst notes and limits
This is an ATT&CK detection analytic, AN1380, for Windows in the enterprise-attack domain. The supplied description is specific to privileged or rarely used accounts performing bulk SharePoint file or metadata access over a short period. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and control questions rather than asserting a specific adversary technique or detection implementation.
The source object does not provide analytic logic, data source requirements, thresholds, related techniques, or example events. Any production rule must be built and tested against the organization’s SharePoint architecture, identity model, audit configuration, privileged account inventory, and normal bulk-access business processes.
Analytic 1380
Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0d0b2dc1586… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1380Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.