M365 SharePoint Site Sharing Policy Weakened

Last updated 16 days ago on 2026-02-27

Created 16 days ago on 2026-02-27

About

Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples

Administrators legitimately enabling external sharing for a new collaboration site or project.Organizational policy changes that intentionally broaden sharing capabilities across sites.Migration or onboarding projects that temporarily require external sharing to be enabled.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365.audit-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and
    event.action: "SharingPolicyChanged" and event.outcome: "success" and
    (
        (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or "Disabled"))
        or
        (o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or "Disabled"))
        or
        (o365.audit.ModifiedProperties.IsPublic.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.IsPublic.OldValue: (false or "Disabled"))
        or
        (o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or "Disabled"))
        or
        (o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or "Disabled"))
        or
        (o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or "Enabled") and
            o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or "Disabled"))
    )

Install detection rules in Elastic Security

Detect M365 SharePoint Site Sharing Policy Weakened in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).