Netwrix Auditor 
Netwrix Enterprise Auditor 
Netwrix Data Classification 
Netwrix GroupID 
Netwrix Privilege Secure 
Netwrix Endpoint Protector 
Native Solution
Netwrix Auditor for SharePoint
Steps
- Open the Office 365 Security & Compliance dashboard.
- Go to Search -> Audit log search.
- In the Activities filters, choose “Shared file, folder, or site” and “Unshared file, folder, or site”.
- Click Search.
The search results will list the following events: directly granting access rights, adding a user to a group, changing group rights. The output table will include the following basic details:
- User — The name of the user who performed the action
- Item — The URL of the SharePoint site or Team where the change was made
- Detail — The user or group to which the change was applied
- To determine whether privilege escalation took place, you will have to dig further. One option is to expand the event and review the information by clicking event and browsing through the Details tab. Depending on the activity, you will need to search for the following information:
- If a user was added to a group with Full Control permissions:
EventData: <Added to group> will show the name of the group to which the user was added.
(Note that by default, the group with Full Control permissions for a site or team is named “[SiteName] Owners”.)
- If rights were granted to a user directly: EventData: <Permissions granted> field will show you the permissions granted. Your highest priority is to keep track of users who are granted Full Control.
However, the Audit Log search filter capabilities are quite simple and don’t enable you to exclude irrelevant results, so with this method, you have to click through every single event. An alternative way to find privilege escalation is to parse the data in Excel:
- Output your search results to CSV by clicking Export Results -> Download all results.
- Open a blank workbook ->On the Data tab in the Get & Transform Data section, click From Text/CSV -> Open the CSV file that you downloaded -> Click Transform Data.
- In the Query Editor, right-click the title in the AuditData column -> Click Transform -> Choose JSON.
- In the upper right corner of the AuditData column, click the expand icon -> Click Load more -> Deselect the properties that you don't want to include -> Click OK.
The resulting table will include the following information:
- AuditData.CreationTime — The event timestamp
- AuditData.ClientIP — The IP address from which the event was performed
- AuditData.UserId — The name of the user who performed the action
- AuditData.EventData — The action performed
- AuditData.SiteUrl — The URL of the SharePoint site or Team where the change was made
- AuditData.TargetUserOrGroupName — The user or group to which the change was applied
- Run Netwrix Auditor → Navigate to “Search” → Click “Advanced mode” if not selected.
- Set up the following filters:
- Filter = “Data source”
Operator = “Equals”
Value = “SharePoint Online” - Filter = “Details”
Operator = “Contains”
Value = “Members” - Filter = “Details”
Operator = “Contains”
Value = “Permissions” - Filter = “What”
Operator = “Does not contain”
Value = “ Members” - Filter = “What”
Operator = “Does not contain”
Value = “ Visitors”
- Click Search and review your report:
Notes about the report content:
- In cases when permissions were assigned directly, the details below the actor’s UPN in the “Who” column will start with “Permissions:” and the permissions granted will be specified inside quotation marks.
- In cases in which a user was added to a group, the details will start with “Members:” and the name of the group is provided in the “What” column.
- To refine your search results further, you can exclude particular groups, sites or actors by choosing undesirable line in results and clicking the Exclude from search button in the Details pane and selecting the result you want to exclude.