Forum Discussion
Matching SharePoint machine ID to Intune
I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond ...
I don't have an example in front of me. But I think these ID's should be Azure AD devices IDs.
Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different.
None of my devices appear to match this string.
- Could you share the analytics query which throws the alert?
That way, I can check where the ID is coming fromThijs Lecomte Here is the query:
OfficeActivity | where TimeGenerated > ago(15m) | where OfficeWorkload == "SharePoint" | where Operation in ("FileDeleted", "FileSyncDownloadedFull", "FolderDeleted", "FileDownloaded") | summarize count() by bin(TimeGenerated, 15m), Operation, UserId, Site_Url, ClientIP | where count_ > 100 | extend AccountCustomEntity = UserId | extend IPCustomEntity = ClientIP | extend URLCustomEntity = Site_UrlThe info generated here is the same as what I can see in the Audit Logs in Security and Compliance center.
Basically we're alerting for excessive downloads or deletions that might indicate malicious activity.
