Forum Discussion

stianhoydal's avatar
stianhoydal
Brass Contributor
Sep 30, 2021

Custom mass download alert

Greetings, I have been messing around with Cloud App Security and have noticed their mass download alert, unfortunately i seem unable to add exclusion to this alert so it triggers way to often on totally uninportant sharepoint sites.

 

Therefore i have made my own query to check for mass downloads, however i can't make the query both count how many download operations a user has togheter with which sites they have downloaded from. It's either how many downloads total and no info on which site they have downloaded from or on a per sharepoint-site basis which is not very usefull when some of the folders are very small and will not trigger on the set threshold. 

 

My query looks like this where i have used the extract function to filter out the uninteresting sharepoint sites which the CAS alerts keep triggering on.

let uninterestingPNNNNSites = OfficeActivity                //Removes sites containing /p-NNNN, N being a number
| where Operation contains "download" 
| extend pGroups = extract("(p+\\-+\\d{4}\\/$)",1, Site_Url)
| where pGroups != "" 
| summarize count() by Site_Url;
let uninterestingPersonalSites = OfficeActivity             //Removes /personal sites
| where Operation contains "download"
| extend personalGroups = extract("(\\/+personal+\\/)", 1 , Site_Url) 
| where personalGroups != ""
| summarize count() by Site_Url;
let uninterestingSiteP = OfficeActivity                //Removes the site /p/, this being an old site that is not going to be used. 
| where Operation contains "download" 
| extend pGroups = extract("(/p/)",1, Site_Url)
| where pGroups != "" 
| summarize count() by Site_Url;
OfficeActivity 
| where Operation contains "download" 
| where Site_Url !in ( uninterestingPersonalSites ) 
| where Site_Url !in ( uninterestingPNNNNSites)
| where Site_Url !in ( uninterestingSiteP)
| summarize count() by Site_Url, UserId, ClientIP    //Remove Site-Url for total downloads per user
| project-rename Number_of_downloadoperations = count_
| where Number_of_downloadoperations > 300

 Preferably i would be able to summarize by only UserId and ClientIP giving a count for how many downloads they have done in a day, but also attaching a list of which sites they have downloaded from for analysts to act on without having to run their own manual search. 

  • m_zorich's avatar
    m_zorich
    Oct 02, 2021
    At the end would something like

    | summarize make_set(UserId) by ClientIP,Site_Url,Number_of_downloadoperations

    Give you what you are after?
  • m_zorich's avatar
    m_zorich
    Iron Contributor
    Oct 02, 2021
    At the end would something like

    | summarize make_set(UserId) by ClientIP,Site_Url,Number_of_downloadoperations

    Give you what you are after?

Resources