Forum Discussion
Alert tuning Cloud apps
We are running the template rule "Mass download by a single user" and getting a lot of alerts and we would like to tune the alerts with a specific Sharepoint site/url. The issue is that I am not abl...
Hi,
Have you looked at creating a KQL query for that action?
If you search for whatever the activity is called and then adding a line to say | where URL == "your url" you can then using a custom detection rule to generate alerts?
Apologies, those won't be what you're looking for, I just don't have those alerts to be able to search what table to query etc.
If you're not sure what table to query, try:
search "Mass download by a single user"
| distinct $table
Run a search on that table with no parameters to work out what the activity name/column name is and filter from there.