SharePointFileOperation via devices with previously unseen user agents

%3CLINGO-SUB%20id%3D%22lingo-sub-1403008%22%20slang%3D%22en-US%22%3ESharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403008%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20recently%20added%20this%20rule%3A%20%22%3CSTRONG%3ESharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FSTRONG%3E%22%20on%20Azure%20Sentinel%2C%20but%20when%20it%20triggers%2C%20it%20doesn't%20show%20essential%20information%20like%20the%20origin%20IP%20address%2C%20SharePoint%20directory%2C%20user%20agent%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20somewhat%20useless%20as%20is%2C%20is%20there%20a%20way%20to%20add%20the%20missing%20information%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChristian%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405068%22%20slang%3D%22en-US%22%3ERe%3A%20SharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11940%22%20target%3D%22_blank%22%3E%40Christian%20Bourque%3C%2FA%3E%26nbsp%3BAccount%20and%20IP%20are%20defined%20in%20the%20query%20as%20custom%20entities%20so%20they%20should%20appear%20in%20the%20incident%20view.%20You%20could%20manually%20edit%20the%20query%20to%20add%20Site_URL%20as%20the%20custom%20entity%20for%20URL%20to%20get%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20similar%20rule%20to%20this%20I've%20created%20for%20operations%20in%20SharePoint%20and%20I%20was%20able%20to%20define%20certain%20columns%20as%20custom%20entities%20to%20make%20them%20show%20in%20the%20incident%20view.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406132%22%20slang%3D%22en-US%22%3ERe%3A%20SharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406132%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3Ehere's%20a%20screenshot%20of%20the%20last%20incident%20and%20as%20you'll%20see%20under%20entities%2C%20all%20the%20indicators%20are%20set%20to%20zero%3F!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406387%22%20slang%3D%22en-US%22%3ERe%3A%20SharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406387%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11940%22%20target%3D%22_blank%22%3E%40Christian%20Bourque%3C%2FA%3E%26nbsp%3BAs%20it%20stands%20right%20now%2C%20this%20will%20be%20more%20of%20a%20notification%20that%20the%20alert%20was%20created%20in%20O365.%26nbsp%3B%20You%20should%20go%20there%20to%20get%20more%20information%20on%20it%20and%20perform%20the%20investigation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20check%20the%20alert%20that%20was%20generated%20to%20see%20if%20the%20information%20is%20in%20there%20and%20create%20a%20Logic%20App%20that%20can%20do%20something%20like%20add%20comments%20to%20incident%20with%20the%20information%20you%20need%20(although%20that%20would%20need%20to%20be%20started%20manually)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20alerts%20are%20getting%20better%20and%20better%20as%20time%20goes%20on.%26nbsp%3B%20It%20may%20be%20worth%20entering%20a%20new%20request%20in%20the%20Azure%20Sentinel%20Customer%20Feedback%20for%20the%20information%20you%20are%20looking%20for%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1406461%22%20slang%3D%22en-US%22%3ERe%3A%20SharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406461%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3Eand%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%20thanks%20to%20both%20of%20you%20for%20your%20feedback%2C%20it's%20really%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I've recently added this rule: "SharePointFileOperation via devices with previously unseen user agents" on Azure Sentinel, but when it triggers, it doesn't show essential information like the origin IP address, SharePoint directory, user agent, etc.

 

It's somewhat useless as is, is there a way to add the missing information?

 

Thanks,

 

Christian

 

4 Replies

@Christian Bourque Account and IP are defined in the query as custom entities so they should appear in the incident view. You could manually edit the query to add Site_URL as the custom entity for URL to get this information.

 

I have a similar rule to this I've created for operations in SharePoint and I was able to define certain columns as custom entities to make them show in the incident view.

@endakellyhere's a screenshot of the last incident and as you'll see under entities, all the indicators are set to zero?!

@Christian Bourque As it stands right now, this will be more of a notification that the alert was created in O365.  You should go there to get more information on it and perform the investigation.

 

You can also check the alert that was generated to see if the information is in there and create a Logic App that can do something like add comments to incident with the information you need (although that would need to be started manually)

 

These alerts are getting better and better as time goes on.  It may be worth entering a new request in the Azure Sentinel Customer Feedback for the information you are looking for here: https://feedback.azure.com/forums/920458-azure-sentinel

@Gary Busheyand @endakelly thanks to both of you for your feedback, it's really appreciated!