ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT094
  • Created: 29th July 2024
  • Updated: 29th July 2024
  • Contributor: The ITM Team

Microsoft Purview Audit Search

Microsoft's Purview portal has a feature named Audit that permits access to critical audit log event data to gain insight and further investigate user activities. This can be used to investigate activity from a range of Microsoft services, such as SharePoint, OneDrive, and Outlook. Searches can be scoped to a specific timeframe, user account, and platform using the extensive filters available. 

Sections

ID Name Description
IF011.003Providing Unauthorized Access to a Collaboration Platform

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

PR004.002Collaboration Platform Exploration

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.