Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Custom mass download alert

Brass Contributor

Greetings, I have been messing around with Cloud App Security and have noticed their mass download alert, unfortunately i seem unable to add exclusion to this alert so it triggers way to often on totally uninportant sharepoint sites.


Therefore i have made my own query to check for mass downloads, however i can't make the query both count how many download operations a user has togheter with which sites they have downloaded from. It's either how many downloads total and no info on which site they have downloaded from or on a per sharepoint-site basis which is not very usefull when some of the folders are very small and will not trigger on the set threshold. 


My query looks like this where i have used the extract function to filter out the uninteresting sharepoint sites which the CAS alerts keep triggering on.

let uninterestingPNNNNSites = OfficeActivity                //Removes sites containing /p-NNNN, N being a number
| where Operation contains "download" 
| extend pGroups = extract("(p+\\-+\\d{4}\\/$)",1, Site_Url)
| where pGroups != "" 
| summarize count() by Site_Url;
let uninterestingPersonalSites = OfficeActivity             //Removes /personal sites
| where Operation contains "download"
| extend personalGroups = extract("(\\/+personal+\\/)", 1 , Site_Url) 
| where personalGroups != ""
| summarize count() by Site_Url;
let uninterestingSiteP = OfficeActivity                //Removes the site /p/, this being an old site that is not going to be used. 
| where Operation contains "download" 
| extend pGroups = extract("(/p/)",1, Site_Url)
| where pGroups != "" 
| summarize count() by Site_Url;
| where Operation contains "download" 
| where Site_Url !in ( uninterestingPersonalSites ) 
| where Site_Url !in ( uninterestingPNNNNSites)
| where Site_Url !in ( uninterestingSiteP)
| summarize count() by Site_Url, UserId, ClientIP    //Remove Site-Url for total downloads per user
| project-rename Number_of_downloadoperations = count_
| where Number_of_downloadoperations > 300

 Preferably i would be able to summarize by only UserId and ClientIP giving a count for how many downloads they have done in a day, but also attaching a list of which sites they have downloaded from for analysts to act on without having to run their own manual search. 

2 Replies
best response confirmed by stianhoydal (Brass Contributor)
At the end would something like

| summarize make_set(UserId) by ClientIP,Site_Url,Number_of_downloadoperations

Give you what you are after?
Perfect, thanks again Matthew :)