Mass Download Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-828496%22%20slang%3D%22en-US%22%3EMass%20Download%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828496%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20understand%20the%20information%20in%20a%20Mass%20Download%20Alert%20as%20it%20seems%20unclear.%26nbsp%3B%20Could%20a%20mass%20download%20alert%20simply%20by%20the%20OneDrive%20agent%20performing%20a%20sync%20of%20a%20large%20number%20of%20files%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20so%20how%20can%20i%20tell%20in%20what%20direction%20i.e.%20Syncing%20file%20from%20PC%20to%20OneDrive%20or%20syncing%20file%20from%20OneDrive%20to%20PC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20its%20a%20sync%20to%20or%20from%20a%20PC%20how%20can%20I%20tell%20what%20PC%20it%20is%3F%26nbsp%3B%20Can%20I%20see%20if%20its%20a%20domain%20joined%20and%20therefore%20trusted%20PC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ask%20as%20there%20could%20be%20a%20scenario%20that%20an%20Office%20365%20users%20credentials%20have%20been%20compromised.%26nbsp%3B%20If%20they%20have%20the%20cred's%20and%20they%20load%20OneDrive%20app%20on%20any%20PC%20and%20then%20sync%20down%20the%20files.%26nbsp%3B%20How%20can%20I%20tell%20what%20machine%2C%20trusted%20or%20not%2C%20it%20was%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-828496%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833210%22%20slang%3D%22en-US%22%3ERe%3A%20Mass%20Download%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833210%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F393307%22%20target%3D%22_blank%22%3E%40lfkentwell%3C%2FA%3EI%20am%20not%20100%25%20procent%20sure%2C%20but%20a%20normal%20sync%20should%20not%20trigger%20that%20alert%20as%20far%20as%20I%20know.%20I%20believe%20the%20files%20would%20have%20to%20leave%20OneDrive%2FSharePoint%20in%20some%20way.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833775%22%20slang%3D%22en-US%22%3ERe%3A%20Mass%20Download%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833775%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F196231%22%20target%3D%22_blank%22%3E%40P%C3%A5l-Erik%20Winther%3C%2FA%3E%26nbsp%3BThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20not%20a%20normal%20sync%2C%20and%20I%20would%20expect%20a%20regular%20sync%20not%20have%20such%20a%20large%20number%20of%20files%20to%20download%20in%20one%20go%2C%20could%20it%20be%20someone%20who%20has%20logged%20onto%20a%20new%20PC%20for%20the%20first%20time%20and%20that%20is%20triggering%20the%20download.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20was%20something%20like%20that%2C%20how%20can%20I%20tell%20what%20machine%20they%20logged%20into%20i.e.%20how%20would%20i%20know%20if%20someone%20got%20a%20new%20company%20laptop%20or%20if%20they%20loaded%20Onedrive%20on%20their%20personal%20home%20computer%20and%20did%20a%20sync.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20if%20an%20account%20was%20compromised%20and%20an%20attacker%20logged%20onto%20onedrive%20agent%20on%20a%20machine%20and%20synced%20everything%20down.%26nbsp%3B%20That%20would%20be%20a%20sync%20and%20if%20your%20saying%20sync%20are%20not%20counted%20as%20a%20Mass%20Download%20alert%20then%20that's%20a%20gap%20as%20its%20an%20unauthorized%20download.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833799%22%20slang%3D%22en-US%22%3ERe%3A%20Mass%20Download%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833799%22%20slang%3D%22en-US%22%3EI%20may%20have%20answered%20my%20question.%20Looks%20like%20the%20FileSyncDownloadedFull%20operation%20would%20tell%20you%20if%20a%20new%20connection%20to%20OneDrive%20was%20made%20and%20a%20full%20sync%20performed%20(see%20description%20below).%20Still%20doesn't%20tell%20me%20if%20the%20download%20was%20on%20an%20authorized%20machine%20or%20not.%3CBR%20%2F%3E%3CBR%20%2F%3EUser%20establishes%20a%20sync%20relationship%20and%20successfully%20downloads%20files%20for%20the%20first%20time%20to%20their%20computer%20from%20a%20SharePoint%20or%20OneDrive%20for%20Business%20document%20library.%3C%2FLINGO-BODY%3E
Contributor

Trying to understand the information in a Mass Download Alert as it seems unclear.  Could a mass download alert simply by the OneDrive agent performing a sync of a large number of files?

 

If so how can i tell in what direction i.e. Syncing file from PC to OneDrive or syncing file from OneDrive to PC?

 

If its a sync to or from a PC how can I tell what PC it is?  Can I see if its a domain joined and therefore trusted PC.

 

I ask as there could be a scenario that an Office 365 users credentials have been compromised.  If they have the cred's and they load OneDrive app on any PC and then sync down the files.  How can I tell what machine, trusted or not, it was?

 

Thanks.

3 Replies
Highlighted

@lfkentwellI am not 100% procent sure, but a normal sync should not trigger that alert as far as I know. I believe the files would have to leave OneDrive/SharePoint in some way. 

Highlighted

@Pål-Erik Winther Thanks.

 

If it is not a normal sync, and I would expect a regular sync not have such a large number of files to download in one go, could it be someone who has logged onto a new PC for the first time and that is triggering the download.

 

If it was something like that, how can I tell what machine they logged into i.e. how would i know if someone got a new company laptop or if they loaded Onedrive on their personal home computer and did a sync.  

 

For example if an account was compromised and an attacker logged onto onedrive agent on a machine and synced everything down.  That would be a sync and if your saying sync are not counted as a Mass Download alert then that's a gap as its an unauthorized download.

Highlighted
I may have answered my question. Looks like the FileSyncDownloadedFull operation would tell you if a new connection to OneDrive was made and a full sync performed (see description below). Still doesn't tell me if the download was on an authorized machine or not.

User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.