Forum Discussion

Christian Bourque's avatar
Christian Bourque
Tin Contributor
May 19, 2020

SharePointFileOperation via devices with previously unseen user agents

Hi,   I've recently added this rule: "SharePointFileOperation via devices with previously unseen user agents" on Azure Sentinel, but when it triggers, it doesn't show essential information like the...
endakelly's avatar
endakelly
Brass Contributor
May 20, 2020

Christian Bourque Account and IP are defined in the query as custom entities so they should appear in the incident view. You could manually edit the query to add Site_URL as the custom entity for URL to get this information.

 

I have a similar rule to this I've created for operations in SharePoint and I was able to define certain columns as custom entities to make them show in the incident view.

Christian Bourque's avatar
Christian Bourque
Tin Contributor
May 20, 2020

endakellyhere's a screenshot of the last incident and as you'll see under entities, all the indicators are set to zero?!