Aug 28 2019 10:08 PM
Trying to understand the information in a Mass Download Alert as it seems unclear. Could a mass download alert simply by the OneDrive agent performing a sync of a large number of files?
If so how can i tell in what direction i.e. Syncing file from PC to OneDrive or syncing file from OneDrive to PC?
If its a sync to or from a PC how can I tell what PC it is? Can I see if its a domain joined and therefore trusted PC.
I ask as there could be a scenario that an Office 365 users credentials have been compromised. If they have the cred's and they load OneDrive app on any PC and then sync down the files. How can I tell what machine, trusted or not, it was?
Thanks.
Sep 02 2019 03:32 AM
@lfkentwellI am not 100% procent sure, but a normal sync should not trigger that alert as far as I know. I believe the files would have to leave OneDrive/SharePoint in some way.
Sep 02 2019 03:34 PM
@Pål-Erik Winther Thanks.
If it is not a normal sync, and I would expect a regular sync not have such a large number of files to download in one go, could it be someone who has logged onto a new PC for the first time and that is triggering the download.
If it was something like that, how can I tell what machine they logged into i.e. how would i know if someone got a new company laptop or if they loaded Onedrive on their personal home computer and did a sync.
For example if an account was compromised and an attacker logged onto onedrive agent on a machine and synced everything down. That would be a sync and if your saying sync are not counted as a Mass Download alert then that's a gap as its an unauthorized download.
Sep 02 2019 04:04 PM