Forum Discussion

Jafar1970's avatar
Jafar1970
Copper Contributor
Nov 04, 2019

SharePointFileOperation via devices with previously unseen user agents

Hi Experts   I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'...
CliveWatson's avatar
CliveWatson
Former Employee
Nov 04, 2019

Jafar1970 

 

Have you tried a line like this before the final summarize

 

  | where UserId !="Backup"
Jafar1970's avatar
Jafar1970
Copper Contributor
Nov 05, 2019
@Clive Waston

It did not work before the final summarize, Is there another option?
  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Nov 05, 2019

    Jafar1970 

     

    What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here? 

     

     

    I think I used an uppercase B, can you try a lowercase?  Does the USerId startwith "backup", in that case you startswith e.g.

    OfficeActivity
| where UserId startswith "backup" 
| summarize by UserId

OfficeActivity
| summarize count() by UserId

     

     

     

     

    • Jafar1970's avatar
      Jafar1970
      Copper Contributor
      Nov 05, 2019
      Yes, it starts with ''backup'' (lowercase). so where exactly I must write | where UserId !="Backup" in the script
      • CliveWatson's avatar
        CliveWatson
        Former Employee
        Nov 05, 2019

        Jafar1970

         

        As early as you can, maybe after:

         OfficeActivity
  | where TimeGenerated between(ago(14d)..ago(1d))

         

        Does it start with "backup" or that it?

         

        OfficeActivity
| where UserId !startswith "backup"
| summarize count() by UserId