T1213.002 Sharepoint Mappings

Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories. License Requirements: Microsoft 365 E3 and E5

The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information. License Requirements: ME-ID Built-in Roles (Free)

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)

In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages. Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware. The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. License requirements: M365 E3 (or Defender for Office plan 1)

Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.

An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Sharepoint attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint. License Requirements: Microsoft Defender XDR

Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). License requirements: M365 E5 customers.