Forum Discussion
Alert tuning Cloud apps
We are running the template rule "Mass download by a single user" and getting a lot of alerts and we would like to tune the alerts with a specific Sharepoint site/url.
The issue is that I am not able to find a filtering setting/field in the "Alert tuning" rule that would match this, is there anything I have missed or is there fields missing?
I know that in the policy rule there is a field-filtering option named Activity objects > Activity object ID which I might be able to enter the "ObjectId" value of the site I want to exclude, this seem to exclude the whole site. If it would be possible to filter on a URL/path, we could filter just a specific folder which is downloaded a lot.
2 Replies
Thanks for the reply but as you said im looking for Microsofts native way of doing this as they intended it, and maybe this is a feature that they havent thought of.
Hi,
Have you looked at creating a KQL query for that action?
If you search for whatever the activity is called and then adding a line to say | where URL == "your url" you can then using a custom detection rule to generate alerts?
Apologies, those won't be what you're looking for, I just don't have those alerts to be able to search what table to query etc.
If you're not sure what table to query, try:
search "Mass download by a single user"
| distinct $table
Run a search on that table with no parameters to work out what the activity name/column name is and filter from there.
