Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

What is the app@sharepoint Account in my Azure Sentinel Data?

Azure Sentinel News Editor by Azure Sentinel News Editor
December 28, 2020
in Security Operations
0
Microsoft is quietly becoming a cybersecurity powerhouse
4.7kViews
821 Shares Share on Facebook Share on Twitter

This is just a quick blog post for clarification purposes.

We’ve had some internal discussion around this, but what predicated this blog post is the number of customers who’ve also asked about this most recently. Because we’re continuing to improve the data and types of data that are exposed through our table schema and automated analysis (Analytics Rules), customers are finding all sorts of new and curious things that they didn’t know existed before. Some can be real headscratchers.

This latest one is the app@sharepoint account that shows up in query results. This “user” account is logged in the OfficeActivity table because as the account name suggests, it’s part of SharePoint (or OneDrive) operations.

Here’s a query to see it at work in your environment:

OfficeActivity
| where UserId == "app@sharepoint"
| distinct Operation
app@sharepoint operations

app@sharepoint is an account that is utilized as a service principal for SharePoint-based operations (including OneDrive, Teams, Yammer, etc.).

The next logical customer question usually goes something like this: “Well, if it’s a service principal, can I whitelist the account?”

Personally, I have issue with whitelisting any account. Any account can be compromised. To maintain complete security, we need to monitor and report suspicious activity for any account under our purview.

However, you can get clever and whitelist specific accounts from existing Analytics Rules but then create a new Analytics Rule to specifically track those accounts you’ve deemed worthy of whitelisting. Just adjust the severity, the schedule, and threshold a bit. This helps minimize noise in the system, but also ensures all accounts are still being monitored.

The next piece, of course, is how to tie app@sharepoint operations to the user account for which the service principal was providing proxy operations.

Run something like the following:

OfficeActivity
| where UserId == "app@sharepoint" or UserId contains "<yourdomain>"
| distinct TimeGenerated, Operation, UserId

…and then locate the duplicate TimeGenerated entries.

Reference: https://azurecloudai.blog/2020/10/27/what-is-the-appsharepoint-account-in-my-azure-sentinel-data/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
Vectra AI and Microsoft partner on security integration

How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

Microsoft announces security, identity, management, and compliance updates across Azure and Office

How to be Notified When Azure Sentinel Data Stops Flowing

Microsoft suspends 18 Azure accounts tied to China-based hackers

How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Security in Focus at Ignite 2020

Security in Focus at Ignite 2020

4 months ago
ForgeRock Joins Microsoft Intelligent Security Association

ForgeRock Joins Microsoft Intelligent Security Association

4 months ago
Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

What’s new: Azure Sentinel User and Entity Behavior Analytics in Public Preview!

3 months ago
Microsoft improves Azure’s security to protect your business

How to Enable the Microsoft Teams Public Preview for Azure Sentinel

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News