Forum Discussion
Mass Download Alert
Trying to understand the information in a Mass Download Alert as it seems unclear. Could a mass download alert simply by the OneDrive agent performing a sync of a large number of files? If so ho...
Pål-Erik Winther Thanks.
If it is not a normal sync, and I would expect a regular sync not have such a large number of files to download in one go, could it be someone who has logged onto a new PC for the first time and that is triggering the download.
If it was something like that, how can I tell what machine they logged into i.e. how would i know if someone got a new company laptop or if they loaded Onedrive on their personal home computer and did a sync.
For example if an account was compromised and an attacker logged onto onedrive agent on a machine and synced everything down. That would be a sync and if your saying sync are not counted as a Mass Download alert then that's a gap as its an unauthorized download.
I may have answered my question. Looks like the FileSyncDownloadedFull operation would tell you if a new connection to OneDrive was made and a full sync performed (see description below). Still doesn't tell me if the download was on an authorized machine or not.
User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.
User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.