Forum Discussion
SharePointFileOperation via devices with previously unseen user agents
Hi Experts I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'...
@Clive Waston
It did not work before the final summarize, Is there another option?
It did not work before the final summarize, Is there another option?
What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here?
I think I used an uppercase B, can you try a lowercase? Does the USerId startwith "backup", in that case you startswith e.g.
OfficeActivity
| where UserId startswith "backup"
| summarize by UserId
OfficeActivity
| summarize count() by UserId
- Yes, it starts with ''backup'' (lowercase). so where exactly I must write | where UserId !="Backup" in the script
As early as you can, maybe after:
OfficeActivity | where TimeGenerated between(ago(14d)..ago(1d))Does it start with "backup" or that it?
OfficeActivity | where UserId !startswith "backup" | summarize count() by UserIdTo avoid the confusion of where to write that line-- Simply- Run the original query then drill into one of the results you want to exclude which is "backup" in your case. So if you have service account for it, simply click on 3 dots shown before UserID and select Exclude. This will append your query and use it.