AN1886: Analytic 1886
Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.[1] Sharepoint audit logging can also be configured to report when a user shares a resource.[2] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.[3] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.
Analyst context for executives and security teams
AN1886 focuses on whether an organization can see unusual access to information repositories such as SharePoint, Confluence, and shared network drives. The practical risk is that these repositories often contain operational, business, engineering, or administrative knowledge, and they are used by large populations of legitimate users. That makes suspicious collection behavior easy to miss unless audit logging, log retention, and analysis are deliberately enabled.
Executive priority
Treat this as a visibility and governance question: can the business prove who accessed, shared, or bulk-viewed sensitive repository content, especially when privileged accounts are involved? Leaders should prioritize audit logging and centralized analysis for high-value repositories because these logs support incident scoping, compliance evidence, insider-risk investigations, and decisions about whether sensitive information may have been accessed or collected.
Technical view
SOC and IR teams should validate that repository access and sharing events are being logged for SharePoint, Confluence, shared network drives, and relevant third-party applications. The supplied ATT&CK text emphasizes monitoring newly constructed logon behavior, access to pages and documents, sharing events, unexpected or abnormal network-share access, privileged-user access to repositories, and unusually high-volume document or page retrieval. Because no ATT&CK tactics, platforms, or formal detection logic are supplied, teams should treat this analytic as a detection strategy to operationalize locally rather than a complete rule.
Likely telemetry
- SharePoint audit logs for site, page, document, and sharing activity
- Confluence user access logs, including AccessLogFilter-derived page and document access records where configured
- Network share access logs showing user, host, path, object, and access volume where available
- Third-party application logs for repositories, messaging systems, or collaboration platforms that store or expose valuable information
- Identity context for users accessing repositories, especially privileged accounts such as Active Directory Domain, Enterprise, or Schema Administrators
Detection direction
- Confirm audit logging is enabled for the repositories that actually hold sensitive business or operational information; default logging may be insufficient.
- Alert or investigate repository access by highly privileged accounts because the ATT&CK text notes these accounts generally should not be used for information-repository access.
- Baseline normal access patterns by user, group, repository, and business role before treating high-volume retrieval as malicious; large legitimate projects can create false positives.
- Look for users viewing or retrieving unusually large numbers of pages or documents, which may indicate automated or programmatic collection when compared with local baselines.
- Monitor unexpected or abnormal access to shared network drives, especially access inconsistent with the user’s role or prior behavior.
Mitigation priorities
- Identify high-value information repositories and shared drives that require audit visibility and retention.
- Enable and verify SharePoint, Confluence, shared-drive, and relevant third-party application logging for access and sharing events.
- Centralize repository logs so SOC and IR teams can search across users, systems, and time windows during investigations.
- Reduce routine use of highly privileged accounts for repository access and monitor any exceptions closely.
- Define thresholds and baselines for unusual document/page retrieval and tune them against business workflows.
Analyst notes and limits
The object is an ICS ATT&CK detection analytic, but the supplied content is centered on information repositories, collaboration platforms, and shared network drives rather than a specific industrial platform. Its decision value is strongest for organizations that depend on repository evidence for investigation, audit, and sensitive-information protection.
No formal detection field, tactics, platforms, relationships, or specific ATT&CK technique mapping were supplied. This take therefore avoids claiming coverage for any platform or behavior beyond the listed repository logging and monitoring concepts. Local repository configuration, identity context, access baselines, and log retention determine whether this analytic can be operationalized effectively.
Analytic 1886
Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.[1] Sharepoint audit logging can also be configured to report when a user shares a resource.[2] The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.[3] Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fc7e882b543d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft SharePoint Logging
Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.
Open source URL -
[2]
Sharepoint Sharing Events
Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.
Open source URL -
[3]
Atlassian Confluence Logging
Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.
Open source URL -
[4]
mitre-attack AN1886Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.