Forum Discussion

Jafar1970's avatar
Jafar1970
Copper Contributor
Nov 04, 2019

SharePointFileOperation via devices with previously unseen user agents

Hi Experts

 

I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'' using for office 365 backup. I must exclude this user ''backup'' as an exception of the alert. How to do this exception inside the below alert ?

 

I have the below alert,  I want to exclude the user Id ''backup'' from the alert. please support

 

 let threshold = 10;
  let szSharePointFileOperation = "SharePointFileOperation";
  let szOperations = dynamic(["FileDownloaded""FileUploaded"]);
  let historicalActivity =
  OfficeActivity
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | summarize historicalCount = count() by UserAgent;
  let recentActivity = OfficeActivity
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | where TimeGenerated > ago(1d)
  | summarize recentCount = count() by UserAgent;
  recentActivity | join kind = leftanti (historicalActivity) on UserAgent
  | project RecordType = szSharePointFileOperation, UserAgent, recentCount
  | order by recentCount asc, UserAgent
  // More than 10 downloads/uploads from a new user agent
  | where recentCount > threshold
  | join kind = rightsemi 
  (OfficeActivity 
  | where TimeGenerated >= ago(1d) 
  | where RecordType =~ szSharePointFileOperation 
  | where Operation in~ (szOperations)
  )
  on UserAgent
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
  | order by UserAgent asc, Operation asc, UserId asc

 

6 Replies

    • Jafar1970's avatar
      Jafar1970
      Copper Contributor
      Nov 05, 2019
      @Clive Waston

      It did not work before the final summarize, Is there another option?
      • CliveWatson's avatar
        CliveWatson
        Former Employee
        Nov 05, 2019

        Jafar1970 

         

        What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here? 

         

         

        I think I used an uppercase B, can you try a lowercase?  Does the USerId startwith "backup", in that case you startswith e.g.

        OfficeActivity
| where UserId startswith "backup" 
| summarize by UserId

OfficeActivity
| summarize count() by UserId

         

         

         

         

Resources