Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

SharePointFileOperation via devices with previously unseen user agents

Copper Contributor

Hi Experts

 

I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'' using for office 365 backup. I must exclude this user ''backup'' as an exception of the alert. How to do this exception inside the below alert ?

 

I have the below alert,  I want to exclude the user Id ''backup'' from the alert. please support

 

 let threshold = 10;
  let szSharePointFileOperation = "SharePointFileOperation";
  let szOperations = dynamic(["FileDownloaded""FileUploaded"]);
  let historicalActivity =
  OfficeActivity
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | summarize historicalCount = count() by UserAgent;
  let recentActivity = OfficeActivity
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | where TimeGenerated > ago(1d)
  | summarize recentCount = count() by UserAgent;
  recentActivity | join kind = leftanti (historicalActivity) on UserAgent
  | project RecordType = szSharePointFileOperation, UserAgent, recentCount
  | order by recentCount asc, UserAgent
  // More than 10 downloads/uploads from a new user agent
  | where recentCount > threshold
  | join kind = rightsemi 
  (OfficeActivity 
  | where TimeGenerated >= ago(1d) 
  | where RecordType =~ szSharePointFileOperation 
  | where Operation in~ (szOperations)
  )
  on UserAgent
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
  | order by UserAgent asc, Operation asc, UserId asc

 

6 Replies

@Jafar1970 

 

Have you tried a line like this before the final summarize

 

  | where UserId !="Backup"
@Clive Waston

It did not work before the final summarize, Is there another option?

@Jafar1970 

 

What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here? 

 

 

I think I used an uppercase B, can you try a lowercase?  Does the USerId startwith "backup", in that case you startswith e.g.

OfficeActivity
| where UserId startswith "backup" 
| summarize by UserId

OfficeActivity
| summarize count() by UserId

 

 

 

 

Yes, it starts with ''backup'' (lowercase). so where exactly I must write | where UserId !="Backup" in the script

@Jafar1970

 

As early as you can, maybe after:

 OfficeActivity
  | where TimeGenerated between(ago(14d)..ago(1d))

 

Does it start with "backup" or that it?

 

OfficeActivity
| where UserId !startswith "backup"
| summarize count() by UserId

  

 

clipboard_image_2.png

To avoid the confusion of where to write that line--  Simply- Run the original query then drill into  one of the results you want to exclude which is "backup" in your case. So if you have service account for it, simply click on 3 dots shown before UserID and select Exclude.  This will append your query and use it.