DET0500: Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users
This detection strategy is about finding unusual SharePoint data mining by privileged or rarely seen users. For leaders, the business issue is not just doc...
Analyst context for executives and security teams
This detection strategy is about finding unusual SharePoint data mining by privileged or rarely seen users. For leaders, the business issue is not just document access—it is whether sensitive operational, architectural, policy, or network information stored in SharePoint could be collected without timely visibility. Because SharePoint can contain internal diagrams, standards, and procedures, abnormal access patterns may materially affect incident response, compliance evidence, and operational resilience.
Executive priority
Prioritize this as a visibility and governance question for collaboration data: who can access sensitive SharePoint content, what privileged or uncommon users are doing, and whether the SOC can distinguish legitimate business activity from collection behavior. Executives should ask whether SharePoint audit evidence is retained, reviewed, and usable during an investigation, especially for high-value repositories containing architecture, network, policy, or operational documentation.
Technical view
The supplied ATT&CK relationship says this strategy detects T1213.002, Sharepoint, under the collection tactic, with related platforms Office Suite and Windows. SOC and detection teams should validate monitoring for abnormal SharePoint access, especially by privileged accounts or users with rare historical interaction. Detection logic should be behavior-based: unusual volume, breadth, repository sensitivity, access to many documents or sites, and deviations from a user’s normal SharePoint pattern. Because the official detection field is not provided, local baselining and SharePoint audit data quality are decisive.
Likely telemetry
- SharePoint file and site access audit logs
- User identity and authentication logs for privileged and rare users
- SharePoint administrative and permission-change events
- Document download, sync, preview, and access events where available
- Historical user-to-site and user-to-document access baselines
Detection direction
- Confirm that SharePoint audit logging captures user, object, site, action, timestamp, and source context sufficient for investigation.
- Baseline normal SharePoint access by user, role, site, and repository sensitivity before alerting on abnormal data mining behavior.
- Give higher review priority to privileged accounts, accounts with rare SharePoint activity, and access to repositories containing network diagrams, architecture diagrams, policies, procedures, or standards.
- Tune for legitimate bulk activity such as migrations, eDiscovery, audits, project onboarding, or administrative maintenance to reduce false positives.
- Correlate SharePoint activity with identity events, permission changes, and unusual authentication context when available.
Mitigation priorities
- Inventory high-value SharePoint repositories and identify content that could support adversary collection, such as architecture, network, policy, and procedure documents.
- Review privileged access and rare-user access paths to sensitive SharePoint sites using least-privilege principles.
- Ensure SharePoint and identity audit logs are enabled, retained, and accessible to SOC and incident response teams.
- Define alert triage playbooks for abnormal SharePoint data access by privileged or rare users.
- Use classification, ownership, and access review processes to strengthen compliance evidence and reduce unnecessary exposure of sensitive internal documentation.
Analyst notes and limits
This Glexia take is based on the detection strategy name, external reference DET0500, and the relationship showing it detects ATT&CK technique T1213.002 Sharepoint. The related technique description supports concern over adversary mining of policies, procedures, standards, network diagrams, and system architecture diagrams from SharePoint.
The object provides no official description, no official detection text, and no direct platforms or tactics on the detection strategy itself. Technical recommendations therefore stay at the validation and telemetry level and require local SharePoint, identity, retention, and repository-sensitivity evidence before determining coverage or risk.
Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1213.002 | Sharepoint Sub-technique | This object detects Sharepoint. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 19f988b873b1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0500Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.