- Home
- SIEM use cases
- Unauthorized Data Access
How to detect unauthorized data access
In this page
Threat snapshot
Unauthorized data access sits at the intersection of insider threat and post-compromise attacker behavior. It is the phase in any intrusion where an actor, whether a compromised external attacker or a malicious insider, begins systematically reading data they should not be accessing. The access itself uses legitimate credentials and legitimate file system APIs. What makes it unauthorized is the combination of who is accessing the data, from which context, and in what volume or pattern relative to established behavior.
The challenge for defenders is that file access events are extremely high volume in enterprise environments. A busy file server generates millions of access events per day. Standard monitoring strategies that alert on every access to a sensitive directory produce unmanageable noise. Effective detection requires three things: behavioral baseline context so that volume anomalies stand out, sensitive path awareness so that access to the right directories gets elevated scrutiny regardless of volume, and discovery activity detection that catches the reconnaissance phase before bulk access begins.
Log360 addresses all three. The Suspicious file access rule uses behavioral baselining to detect volume and pattern anomalies. The Failed file access attempts rule catches the reconnaissance pattern of probing restricted paths. PowerShell-based discovery rules catch the scripted enumeration phase. Together they cover the full unauthorized data access chain from initial reconnaissance through to bulk collection, across Windows file systems, Active Directory data stores, and Microsoft 365 shared content.
Unauthorized data access, at a glance
| Severity | Critical |
| Category | Identity & Access |
| Behaviors covered | Bulk file access anomalies, failed access probing of restricted paths, PowerShell-based sensitive file discovery, directory traversal on network devices, anonymous external sharing link creation, browser data store access, SQL database unauthorized backup |
| MITRE ATT&CK tactics | TA0009 - Collection, TA0007 - Discovery |
| MITRE techniques | T1005 - Data from Local System, T1083 - File and Directory Discovery, T1213 - Data from Information Repositories, T1213.002 - Sharepoint |
| Platforms covered | Windows, Active Directory, Microsoft 365, Network devices |
| Log360 detection rules |
|
| SOC maturity level | Level 2 - Investigation |
| Compliance mapping | NIST CSF PR.DS-5, PCI-DSS 7.2.3, HIPAA Section 164.312(b), ISO 27001 A.9.4.1 |
How unauthorized data access happens
Unauthorized data access follows a consistent two-phase pattern regardless of whether the actor is a compromised external attacker or a malicious insider: a discovery phase that maps what data exists and where, followed by an access phase where data is read in bulk. Understanding both phases is essential because discovery-phase detection provides the earliest intervention opportunity.
Discovery phase: mapping the data landscape (T1083)
Before accessing data in volume, attackers and malicious insiders need to know where the valuable data lives. In a Windows environment, this reconnaissance takes three common forms. PowerShell's Get-ChildItem cmdlet with recursive flags can enumerate entire directory trees in seconds, filtering by filename patterns such as *password*, *finance*, *confidential*, or *salary*. Dedicated directory listing tools like DirLister provide similar output in a GUI format preferred by less technically proficient actors. Manual access probing, where an actor attempts to open files in directories they suspect exist but may not have access to, generates a trail of failed access events (Windows Security Event 4656 with Access Denied) that reveals both the attacker's reconnaissance intent and the directories they have identified as targets.
Log signals: Sysmon Event 1 for PowerShell execution with Get-ChildItem or Get-Item combined with recursive or filter arguments targeting known sensitive path patterns. Sysmon Event 1 for DirLister.exe execution. Windows Security Event 4656 (access denied) in bursts targeting directories outside the user's normal access scope.
Collection phase: accessing data in bulk (T1005)
With the data landscape mapped, the actor moves to bulk collection. On Windows file servers, this manifests as an anomalous spike in file read events (Windows Security Event 4663) for a given account, accessing far more files in a session than their behavioral baseline would predict. The Suspicious file access rule uses UEBA behavioral baselining to distinguish legitimate high-volume file activity (engineers accessing large code repositories, analysts running quarterly reports) from anomalous bulk reads that deviate significantly from the account's established pattern.
For structured data, unauthorized access takes different forms: direct SQL backup jobs that dump database contents to a local path, Esentutl-based access to the browser credential databases (SQLite files storing saved passwords, cookies, and browsing history), or directory traversal attacks through web interfaces that expose files outside the intended document root.
Log signals: Windows Security Event 4663 (file object access) in volumes exceeding the UEBA baseline for the account. Windows Security Event 4688 or Sysmon Event 1 for SQL backup utility execution with non-standard destination paths. Sysmon Event 1 for Esentutl.exe targeting Chrome, Edge, or Firefox profile database paths. Network device logs for HTTP path traversal patterns (../ sequences in request URLs).
External sharing: bypassing DLP via anonymous links (T1213.002)
In Microsoft 365 environments, a subtle but high-impact unauthorized data access technique is the creation of anonymous sharing links on SharePoint or OneDrive documents. An anonymous sharing link makes a file accessible to anyone with the URL, completely bypassing M365 permission controls and DLP policies. The actor does not need to download the file; they simply create the link and access the content via any browser without leaving authenticated access logs. M365 unified audit logs capture the link creation event, but organizations that do not specifically monitor for anonymous link creation may not detect this vector at all.
Log signals: M365 unified audit log operation AnonymousLinkCreated for any SharePoint or OneDrive document. Particularly significant when created by accounts with access to sensitive libraries, when multiple links are created in a short window, or when the creating account has a known departure date.
Real-world scenarios
Post-compromise attacker accessing file server shares
After gaining an initial foothold via phishing or credential theft, attackers on an internal network routinely perform file server reconnaissance before exfiltrating data. A compromised standard user account that runs PowerShell Get-ChildItem against network share paths, generating thousands of file enumeration events across finance, legal, and HR directories in a single session, is a high-confidence indicator of an active intrusion in the collection phase. The Powershell Sensitive File Discovery and Powershell Directory Enumeration rules catch this reconnaissance before bulk access begins, providing an intervention window before any data is removed from the network.
Insider accessing HR or finance files outside job scope
Access to sensitive data by authorized users outside their normal job function is one of the most common data loss scenarios and one of the most difficult to detect without behavioral baseline context. A marketing employee who has legitimate network access but whose 90-day baseline shows they never access the Finance share suddenly reading 400 files in that directory is not a permission violation but is a clear behavioral anomaly. The Suspicious file access anomaly rule surfaces this by comparing the current session's access pattern against the established baseline rather than relying solely on permission-based alerting.
Web application directory traversal
Directory traversal attacks against internal web applications expose files on the web server's file system outside the intended document root. An attacker who discovers a vulnerable parameter in an internal web application can read configuration files, credential stores, or application source code that was never intended to be web-accessible. The Possible Directory Traversal Attempt rule detects the ../ path traversal pattern in HTTP requests at the network device layer, catching this attack regardless of whether the application itself logs the malicious request.
Scenario reference table
| Actor type | Discovery method | Collection method | Log360 detection |
|---|---|---|---|
| External attacker (post-compromise) | PowerShell Get-ChildItem across network shares | Bulk file reads from finance / HR / legal shares | Powershell Sensitive File Discovery, Suspicious file access |
| Malicious insider | Manual browsing and access probing of restricted paths | Bulk file reads far above behavioral baseline | Failed file access attempts, Suspicious file access |
| Compromised admin | DirLister enumeration of sensitive paths | SQL database backup to local workstation | DirLister Execution, Suspicious SQL backup activity |
| Departing employee (M365) | SharePoint site browsing | Anonymous sharing links to sensitive documents | Anonymous Sharing Link Created |
| Web application attacker | Parameter fuzzing for traversal vulnerabilities | Directory traversal to read server-side files | Possible Directory Traversal Attempt |
| Credential harvester | Browser profile path enumeration | Esentutl access to Chrome / Edge credential DBs | Esentutl Steals Browser Information |
Business impact
- Data exposure before exfiltration. Unauthorized data access creates data exposure risk even before any file leaves the network. Once an actor has read sensitive files, the knowledge they contain is compromised regardless of whether a DLP control subsequently blocks a transfer. Financial models, strategic plans, personnel records, and customer data all lose their confidentiality the moment an unauthorized actor reads them, whether or not those files are ever externally transferred.
- Regulatory notification obligations triggered at access, not exfiltration. Under GDPR, HIPAA, and most breach notification frameworks, the triggering event for breach assessment is unauthorized access to protected data, not confirmed exfiltration. An attacker who reads 10,000 patient records on a file server without downloading them has still created a reportable incident under HIPAA. Detecting and documenting the scope of unauthorized access is therefore critical for breach assessment accuracy and regulatory response, even when no data transfer is confirmed.
- Anonymous SharePoint links as a persistent exposure surface. An anonymous sharing link created by a malicious actor or compromised account remains active indefinitely unless explicitly revoked. Unlike account-based access that is terminated when an account is disabled, anonymous links continue to provide access after the actor's credentials have been revoked, account disabled, or employment terminated. The link represents a persistent exposure channel that standard offboarding procedures do not address.
- Browser credential access enables downstream attacks. Esentutl-based access to browser credential databases is not just an unauthorized data access event; it is a credential harvesting event that enables further attacks. Every corporate SaaS application where the user has saved credentials in their browser is potentially accessible to the actor who extracts that database. The data access incident and the subsequent credential compromise risk must be assessed together.
Detecting unauthorized data access with Log360
Log360's nine detection rules cover the full unauthorized data access chain across Windows file systems, Active Directory-integrated data stores, Microsoft 365, and network devices. For Windows and Sysmon-based rules, process creation (Event 1) and object access (Events 4656, 4663) logging must be enabled and forwarding to Log360 from relevant file servers and endpoints. For M365 rules, unified audit logs must be configured. For network device rules, HTTP access logs from Fortinet, Cisco, or similar appliances must be connected as log sources.
Behavioral anomaly and bulk access detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Suspicious file access | Critical | Windows | T1005 | Advanced anomaly rule that fires when a user's file access volume, velocity, or directory scope deviates significantly from their established behavioral baseline. Unlike permission-based rules that require explicit access control violations, this rule catches authorized-but-anomalous access: the insider who is permitted to access finance directories but has never done so, or the post-compromise attacker using legitimate credentials to read data systematically. Critical severity because bulk unauthorized reads are a direct data exposure event regardless of whether subsequent exfiltration is detected. |
| Failed file access attempts | Critical | Windows | T1005 | Multiple Windows Security Event 4656 (access denied) records for an account targeting file system paths outside their normal access scope. A burst of access denials across multiple sensitive directories within a short window is the clearest behavioral signature of an actor actively probing the boundaries of their access, mapping restricted directories before either escalating privileges or using an alternate access path. Critical severity because it indicates active reconnaissance of data the actor cannot yet access. |
File and directory discovery detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Powershell Sensitive File Discovery | Trouble | Windows | T1083 | PowerShell commands executing file system searches targeting patterns associated with sensitive data: filenames containing keywords such as password, credential, secret, finance, salary, payroll, confidential, private key, or certificate. Detected via Sysmon Event 1 command-line analysis or PowerShell Script Block Logging (Event 4104). Fires on both interactive PowerShell sessions and scripted execution, covering both manual attacker reconnaissance and automated collection tooling. |
| Powershell Directory Enumeration | Trouble | Windows | T1083 | PowerShell commands performing recursive directory enumeration across network shares or local file system paths in a pattern inconsistent with legitimate administrative use. Covers Get-ChildItem, Get-Item, and equivalent .NET directory traversal methods executed with broad recursive scope. The rule distinguishes between IT administrative enumeration (allowlisted accounts and paths) and anomalous enumeration from standard user accounts or from machines that do not normally run administrative PowerShell. |
| DirLister Execution | Attention | Windows | T1083 | DirLister.exe process creation detected via Sysmon Event 1. DirLister is a dedicated directory and file listing utility that generates structured output of file system contents, commonly used in reconnaissance before bulk data access. Its execution on a standard user workstation with no prior history of the tool is a clear signal of intentional data discovery activity. Attention severity because DirLister has some legitimate IT auditing use cases; context from concurrent suspicious file access events significantly increases priority. |
Cloud and network data access detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Anonymous Sharing Link Created | Attention | Microsoft 365 | T1213.002 | An anonymous (anyone with the link) sharing link was created for a SharePoint or OneDrive document or folder, recorded in the M365 unified audit log as the AnonymousLinkCreated operation. Anonymous links bypass M365 permission controls and DLP policies entirely: anyone with the URL can access the content without authentication. Any anonymous link creation for documents in sensitive libraries (Legal, Finance, HR, Executive) warrants immediate review. The link persists and remains active until explicitly revoked, regardless of subsequent changes to the creating account's permissions. |
| Possible Directory Traversal Attempt | Trouble | Network | T1213 | HTTP request containing directory traversal sequences (../, ..%2f, %2e%2e/, or equivalent URL-encoded variants) detected by network appliance logs. Directory traversal attacks attempt to access files outside the web application's intended document root, potentially exposing configuration files, credential stores, application source code, or server-side data. The rule fires at the network layer independently of the target application's own logging, providing coverage even for applications that do not log malicious requests. |
Specialized data store access detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Esentutl Steals Browser Information | Trouble | Windows | T1005 | Esentutl.exe executed with arguments targeting browser profile database files: Chrome's Login Data, Edge's credential store, or Firefox's key4.db and logins.json. Esentutl is a Windows built-in ESE database utility that attackers use to copy locked browser database files that cannot be accessed directly while the browser is running. The copied database contains saved passwords, authentication cookies, and browsing history. Unauthorized access to these files represents both a data access violation and a credential theft event. |
| Suspicious SQL backup activity | Critical | Miscellaneous | T1005 | Advanced rule detecting ad hoc SQL backup operations outside the scheduled backup window, or with non-standard destination paths such as user workstation directories rather than the designated backup server. A user who initiates a full database backup to their local machine is accessing the entire contents of that database in a format optimized for portability and offline analysis. Critical severity because a successful database backup represents the highest-volume unauthorized data access possible for a structured data store, potentially capturing millions of records in a single operation. |
Attack chain visibility
The two sequences below show what unauthorized data access looks like in the logs across the discovery-to-collection chain, for both an external attacker scenario and an insider scenario.
Sequence A: Post-compromise attacker enumerating and accessing file server data
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Sysmon Event 1 on compromised workstation | PowerShell executes with Get-ChildItem targeting UNC paths to file server shares: \\fileserver\Finance\*, \\fileserver\Legal\*, \\fileserver\HR\*. Powershell Sensitive File Discovery rule fires. The attacker is mapping what sensitive data exists across the organization's file shares from the compromised user's session. | T+0 |
| 2 | Windows Security Event 4656 on file server | Access denied events on several directories the compromised account lacks permission to access (Executive, Board, M&A). Failed file access attempts rule fires. The attacker is probing the edges of their current access to identify higher-value targets for privilege escalation. | T+10 min |
| 3 | Windows Security Event 4663 on file server (high volume) | File read events for the compromised account spike to 2,400 in a 30-minute window against Finance share files. The account's 90-day baseline average is 18 file accesses per day. Suspicious file access anomaly rule fires. The attacker has moved from discovery to bulk collection. | T+20 min |
Sequence B: Insider creating anonymous SharePoint links before departure
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | M365 audit log (SharePoint access) | Employee accesses multiple SharePoint document libraries outside their normal job function: Legal Contracts, M&A Pipeline, Executive Compensation. Normal access pattern for this account: Marketing assets only. | T+0 |
| 2 | M365 audit log (AnonymousLinkCreated) | Anonymous sharing links created for 14 documents across Legal, Finance, and M&A libraries. Anonymous Sharing Link Created rule fires. These links are now accessible to anyone with the URL, bypassing all M365 permission controls. The links will persist after the employee's account is disabled on their departure date. | T+15 min |
| 3 | M365 audit log (AnonymousLinkUsed) | The anonymous links are accessed from an external IP address three days after the employee's last day and account disablement. The access occurs via browser without authentication, generating no user identity in the access log. | T+3 days |
Investigation playbook
Unauthorized data access investigations must simultaneously determine what was accessed, whether it has left the network, and whether the access is ongoing. Speed matters: the longer unauthorized access continues, the broader the scope of data exposure and the more complex the breach assessment becomes.
Step 1: Triage - identify the access type and scope
| Rule that fired | Access type | Data at risk | First action |
|---|---|---|---|
| Suspicious file access | Bulk file reads anomalous vs. behavioral baseline | All files read during the anomalous session | Pull Event 4663 records for the account in the alert window. Enumerate specific files accessed. Cross-reference with sensitive data classifications. Check for subsequent exfiltration events (Rclone, MEGA, email forwarding) from the same account. |
| Failed file access attempts | Active probing of restricted paths | Data in the probed directories (attacker intent confirmed even if access denied) | Identify which directories were probed from the Event 4656 records. Check whether the account subsequently obtained access to those directories via privilege escalation. Check for concurrent successful reads from other sensitive paths the account can access. |
| Powershell Sensitive File Discovery | Scripted discovery across file system or network shares | Files matching the search pattern in the discovery scope | Retrieve the full PowerShell command from Sysmon Event 1 or Script Block Logging. Determine the search scope (local only vs. network shares). Check for bulk file access events following the discovery run. |
| Anonymous Sharing Link Created | Data shared externally via anonymous link | All documents covered by the created links | Identify the specific documents linked from the M365 audit log. Assess sensitivity classification. Revoke all anonymous links immediately. Check AnonymousLinkUsed events to determine if the links have already been accessed. |
| Suspicious SQL backup activity | Database contents exported via backup | Full database contents in the backup file | Identify the backup destination path. Determine if the backup file was subsequently transferred externally. Check file access logs for the destination path. Initiate data classification review for the affected database. |
Step 2: Establish what data was accessed
- For Windows file server access: query Event 4663 (file object access, ReadData or ReadAttributes) for the account and time window identified in the alert. This log produces the definitive list of files accessed. Note: file access auditing must be enabled on the target file server or share for Event 4663 to be generated. If auditing is not enabled, the scope can only be estimated from directory-level enumeration events.
- For SharePoint access: query M365 unified audit log for FileAccessed, FileDownloaded, and AnonymousLinkCreated operations for the account. FileAccessed records every document view; FileDownloaded records explicit downloads. Together they define the full scope of document-level exposure.
- For SQL backup access: the backup file itself contains all database records. Work with the DBA team to enumerate the database's contents and data classification. Treat every record in the database as potentially accessed unless forensic evidence confirms the backup was incomplete or never completed.
- For directory traversal: review the web application's access logs for the traversal payloads detected by the network rule. Determine which server-side paths were successfully accessed versus blocked. Each successfully accessed path represents a specific file or directory that was exposed.
Step 3: Investigate using the Incident Workbench
- Click on the account identified in the alert to open the Incident Workbench. Use the User analytics tab to view the full activity timeline, UEBA risk score, and behavioral deviation metrics for the account. For insider scenarios, UEBA context showing recent changes in access patterns, new data types accessed, or access outside normal working hours is the key evidence for distinguishing authorized-but-unusual activity from unauthorized access.
- For M365 anonymous link scenarios, review the User analytics tab for recent changes in the account's SharePoint access patterns: new sites visited, new document libraries accessed, and the relationship between the anonymous link creation and the account's access history. An account that accessed documents for the first time immediately before creating anonymous links is a strong signal of intent.
- Use Advanced Threat Analytics on any external IP addresses involved in accessing anonymous SharePoint links or in web-based directory traversal attacks, to determine whether the IP is associated with known attack infrastructure or threat actors.
- Save the Incident Workbench session to an incident. Unauthorized data access incidents frequently require Legal, Compliance, and HR involvement; the saved session provides the complete activity timeline for those stakeholders without requiring direct log access.
Step 4: Determine whether data left the network
- Check for exfiltration events from the same account in the same time window: email forwarding rule creation (Mail Flow Rule for Forwarding Created), cloud storage uploads (DNS queries to MEGA, Rclone execution), SharePoint above-threshold downloads, or USB device write events. The presence of any of these signals following a Suspicious file access alert significantly escalates the incident scope.
- For anonymous SharePoint links: check AnonymousLinkUsed events in the M365 audit log. Each use of an anonymous link from an external IP is a confirmed external data access event. Preserve the accessing IP, timestamp, and document for the breach assessment record.
- For Esentutl browser database access: treat all corporate accounts with saved credentials in the affected browser profile as potentially compromised for downstream unauthorized access. The data access incident and the credential exposure must be assessed together for full scope.
Step 5: Collect evidence and build the timeline
- Export Windows Security Event 4663 records for the affected account and time window from all relevant file servers. These records constitute the forensic evidence of exactly which files were accessed.
- Export M365 unified audit log records for FileAccessed, FileDownloaded, AnonymousLinkCreated, and AnonymousLinkUsed operations for the relevant period and accounts.
- Export Sysmon Event 1 records showing PowerShell discovery commands, Esentutl execution, or DirLister execution from the affected endpoints.
- Export the Incident Workbench session timeline and UEBA risk score history as the primary compliance artifact. For HIPAA incidents, this timeline is the foundation of the breach assessment required under the Security Rule; for GDPR incidents, it supports the 72-hour breach notification assessment.
Response and remediation
Immediate containment
- Revoke all anonymous SharePoint and OneDrive links created by the affected account. Use the SharePoint admin center or PowerShell (Revoke-SPOSiteDesignRights or the sharing API) to invalidate all anonymous links associated with the account. Do not wait for the investigation to confirm the links were used; anonymous links that have not yet been used represent an active exposure surface that must be eliminated immediately.
- Disable the affected account if unauthorized bulk file access is confirmed and the account's current legitimate use does not prevent immediate disablement. For post-compromise attacker scenarios, this terminates ongoing access immediately. For insider scenarios, coordinate with HR before disablement.
- Enable enhanced file access auditing on any file servers or SharePoint sites identified in the investigation if full object access auditing (Event 4663) was not already active. This ensures that the complete scope of access during the investigation window can be reconstructed.
- Initiate credential rotation for any accounts where Esentutl browser database access was confirmed. Rotate passwords for all corporate SaaS applications where the account had saved credentials in the affected browser profile.
Response actions by trigger
| Trigger | Immediate action | Owner |
|---|---|---|
| Suspicious file access (Critical) | Pull Event 4663 records to enumerate accessed files. Assess sensitivity classification. Check for subsequent exfiltration events. Coordinate with data owners of affected directories. | SOC L2 + Data Owner |
| Failed file access attempts (Critical) | Identify probed directories. Check for privilege escalation attempts from the same account. Monitor for follow-up successful access after any permission changes. | SOC L2 |
| Anonymous Sharing Link Created | Revoke all anonymous links from the account immediately. Check AnonymousLinkUsed events for access already occurred. Notify data owners of linked documents. | SOC L2 + M365 Admin |
| Suspicious SQL backup activity (Critical) | Identify backup destination. Determine if file was transferred. Initiate DBA and data governance review. Treat database contents as fully exposed pending forensic confirmation. | SOC L2 + DBA Team + Legal |
| Esentutl Steals Browser Information | Identify affected browser profile. Rotate credentials for all corporate accounts with saved passwords in that profile. Check for subsequent authentication from unusual IPs using those credentials. | SOC L2 + Identity Team |
Hardening
- Enable object access auditing on all sensitive file servers and SharePoint sites. Windows file access auditing (Event 4663) must be explicitly enabled on file servers via Group Policy and on individual shares or directories. Without this, the Suspicious file access and Failed file access attempts rules cannot fire. Audit policy should cover ReadData, WriteData, and DeleteChild operations at minimum for sensitive directories.
- Disable anonymous link creation in M365 via Conditional Access or SharePoint tenant settings. In most enterprise environments, there is no legitimate business reason for anonymous sharing links. Disable the feature at the tenant level or restrict it to specific approved sites. If anonymous links are required for some workflows, require expiry dates and approval workflows for all anonymous link creation.
- Implement sensitive path monitoring via file access classification. Define a set of sensitive directory paths (Finance, Legal, HR, Executive, Source Code) and apply tighter file access auditing and lower anomaly detection thresholds specifically to those paths. Standard user accounts should not be generating high-volume access to these paths under any legitimate workflow.
- Restrict PowerShell execution policy and Script Block Logging. Enable PowerShell Script Block Logging (via Group Policy: Turn on PowerShell Script Block Logging) on all domain-joined machines. This ensures that even obfuscated PowerShell commands used for sensitive file discovery are captured in the event log and forwarded to Log360 for rule matching.
False positive tuning
| False positive source | Rules affected | Tuning strategy |
|---|---|---|
| IT administrators running inventory or auditing scripts | Powershell Sensitive File Discovery, Powershell Directory Enumeration, DirLister Execution | Create an allowlist of authorized IT admin accounts and their designated management workstations. Discovery commands from allowlisted accounts running on allowlisted machines during documented maintenance windows are expected. Any discovery activity from standard user accounts, or from admin accounts on non-management machines, should always alert regardless of the allowlist. |
| Legitimate high-volume file access by power users (engineers, analysts) | Suspicious file access | The Suspicious file access rule uses individual behavioral baselines, so accounts that consistently access large volumes of files will have a higher baseline threshold and will not generate false positives for their normal activity. False positives occur most commonly for new users who have not yet established a baseline. For new accounts, manually review the first alert and adjust thresholds after confirming the initial access volume is legitimate. |
| Approved anonymous sharing links for external collaboration | Anonymous Sharing Link Created | Some organizations legitimately use anonymous SharePoint links for external partner access to non-sensitive content. Create an allowlist of specific SharePoint sites or document libraries where anonymous links are approved. Alert on anonymous links created anywhere outside the approved list. Require expiry dates on all approved anonymous links and monitor for links that have not expired within a defined window. |
| Scheduled SQL backup jobs generating backup events | Suspicious SQL backup activity | Document all scheduled SQL backup jobs: their timing, the service account that runs them, and their destination paths. The rule fires on deviations from the documented pattern: off-schedule timing, non-standard destination paths, or execution by accounts outside the authorized backup service account. Ensure the scheduled backup patterns are captured in the rule baseline so legitimate nightly backups do not alert. |
| Web application scanners generating traversal-like requests | Possible Directory Traversal Attempt | Authorized vulnerability scanners and web application testing tools generate directory traversal payloads as part of their standard scan profiles, which will trigger this rule. Allowlist the source IPs of authorized scanning tools during approved scan windows. Any traversal attempt from a source not in the approved scanner allowlist should always alert, including during scan windows. |
