Think you have a false positive on this rule?

Sid 1-51474


FILE-OTHER Microsoft SharePoint deserialization attempt


This event is generated when an attempt is made to perform an unsafe deserialization function against a Microsoft SharePoint application.


Remote Code Execution

Detailed information

Microsoft SharePoint suffers from an unsafe deserialization vulnerability that could allow malicious users the ability run unauthorized code on a server. To take advantage of this vulnerability the malicious user must have credentials to the system that allow them the ability to make changes and upload BCD model files on the system.

Affected systems

  • Microsoft SharePoint 2016

Ease of attack


False positives

False negatives

Corrective action

Apply recommended patches and/or updates to the system.


  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-1257