Forum Discussion

endakelly's avatar
endakelly
Brass Contributor
May 25, 2020

Matching SharePoint machine ID to Intune

I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond ...
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
May 25, 2020
Could you share the analytics query which throws the alert?
That way, I can check where the ID is coming from
endakelly's avatar
endakelly
Brass Contributor
May 25, 2020

Thijs Lecomte Here is the query:

OfficeActivity
| where TimeGenerated > ago(15m)
| where OfficeWorkload == "SharePoint"
| where Operation in ("FileDeleted", "FileSyncDownloadedFull", "FolderDeleted", "FileDownloaded")
| summarize count() by bin(TimeGenerated, 15m), Operation, UserId, Site_Url, ClientIP
| where count_ > 100
| extend AccountCustomEntity = UserId
| extend IPCustomEntity = ClientIP
| extend URLCustomEntity = Site_Url

The info generated here is the same as what I can see in the Audit Logs in Security and Compliance center. 

 

Basically we're alerting for excessive downloads or deletions that might indicate malicious activity.

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    May 25, 2020

    endakelly 

     

    You have made a really interesting point. I just searched for this information in my own environment, but couldn't find anything.

     

    Rod_Trent  any chance you can chime in and give us some more insights into how we can correlate machineID from the Sharepoint logs to an AAD device?

Resources