Entra ID Sharepoint or OneDrive Accessed by Unusual Client

Last updated 20 days ago on 2026-02-12

Created 10 months ago on 2025-05-01

About

Identifies when an application accesses SharePoint Online or OneDrive for Business for the first time in the tenant within a specified timeframe. This detects successful OAuth phishing campaigns, illicit consent grants, or compromised third-party applications gaining initial access to file storage. Adversaries often use malicious OAuth applications or phishing techniques to gain consent from users, allowing persistent access to organizational data repositories without traditional credential theft.

Tags

Domain: CloudDomain: IdentityDomain: StorageUse Case: Identity and Access AuditTactic: CollectionTactic: Initial AccessData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Sign-in LogsLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

↳ Data from Information Repositories (T1213)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

False Positive Examples

New legitimate applications or integrations recently deployed in the environment may trigger this detection during initial setup or rollout phases. Third-party SaaS applications with SharePoint integration may appear as new app IDs when users first authorize access. Developers testing new applications or OAuth flows in non-production tenants may generate alerts during development cycles.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.signinlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:azure.signinlogs
    and azure.signinlogs.properties.resource_id: (
        00000003-0000-0ff1-ce00-000000000000 or
        6a9b9266-8161-4a7b-913a-a9eda19da220
    ) and azure.signinlogs.properties.app_id: ( *
        and not (
            00000003-0000-0ff1-ce00-000000000000 or
            08e18876-6177-487e-b8b5-cf950c1e598c or
            ab9b8c07-8f02-4f72-87fa-80105867a763 or
            af124e86-4e96-495a-b70a-90f90ab96707
        )
    )
    and azure.signinlogs.properties.tenant_id:*
    and event.outcome:success

Install detection rules in Elastic Security

Detect Entra ID Sharepoint or OneDrive Accessed by Unusual Client in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).