Pulling SharePoint Site name / title into Alerts / Incidents

%3CLINGO-SUB%20id%3D%22lingo-sub-2993205%22%20slang%3D%22en-US%22%3EPulling%20SharePoint%20Site%20name%20%2F%20title%20into%20Alerts%20%2F%20Incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2993205%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20reviewing%20Incidents%20such%20as%26nbsp%3B%3CSPAN%3ESharePointFileOperation%20via%20devices%20with%20previously%20unseen%20user%20agents%20and%20then%20clicking%20Events%2C%20the%20query%20returns%20colums%20including%20URLCustomEntity%20%2F%20Site_URL%20which%20show%20the%20SharePoint%20Online%20site%20and%20OfficeObjectID%20which%20lists%20the%20file%20accessed%20on%20that%20site.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20the%20URLs%20may%20be%20cryptic%20to%20the%20security%20teams%2C%20is%20there%20any%20way%20we%20can%20include%20the%20%22Firendly%20name%22%20pr%20title%20of%20the%20site%20in%20the%20query%20that%20is%20returned%3F%20e.g.%20if%20the%20site%20is%20%3CA%20href%3D%22https%3A%2F%2Fwingtiptoys.sharepoint.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwingtiptoys.sharepoint.com%2FPRJ996%3C%2FA%3E%3C%2FP%3E%3CP%3EAnd%20the%20site%20is%20named%20%22Northwind%20Model%20Platform%22%26nbsp%3B%20can%20we%20see%20%22Northwind%20Model%20Platform%22%20in%20the%20results%20table.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20query%20used%20is%3A%3C%2FP%3E%3CP%3E%2F%2F%20The%20query_now%20parameter%20represents%20the%20time%20(in%20UTC)%20at%20which%20the%20scheduled%20analytics%20rule%20ran%20to%20produce%20this%20alert.%3CBR%20%2F%3Eset%20query_now%20%3D%20datetime(2021-11-17T08%3A59%3A14.8623880Z)%3B%3CBR%20%2F%3Elet%20threshold%20%3D%2050%3B%3CBR%20%2F%3Elet%20szSharePointFileOperation%20%3D%20%22SharePointFileOperation%22%3B%3CBR%20%2F%3Elet%20szOperations%20%3D%20dynamic(%5B%22FileDownloaded%22%2C%20%22FileUploaded%22%5D)%3B%3CBR%20%2F%3Elet%20starttime%20%3D%2014d%3B%3CBR%20%2F%3Elet%20endtime%20%3D%201d%3B%3CBR%20%2F%3Elet%20historicalActivity%20%3D%3CBR%20%2F%3EOfficeActivity%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20between(ago(starttime)%20..%20ago(endtime))%3CBR%20%2F%3E%7C%20where%20RecordType%20%3D~%20szSharePointFileOperation%3CBR%20%2F%3E%7C%20where%20Operation%20in~%20(szOperations)%3CBR%20%2F%3E%7C%20summarize%20historicalCount%20%3D%20count()%20by%20ClientIP%2C%20RecordType%2C%20Operation%3B%3CBR%20%2F%3Elet%20recentActivity%20%3D%20OfficeActivity%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(endtime)%3CBR%20%2F%3E%7C%20where%20RecordType%20%3D~%20szSharePointFileOperation%3CBR%20%2F%3E%7C%20where%20Operation%20in~%20(szOperations)%3CBR%20%2F%3E%7C%20summarize%20min(Start_Time)%2C%20max(Start_Time)%2C%20recentCount%20%3D%20count()%20by%20ClientIP%2C%20RecordType%2C%20Operation%3B%3CBR%20%2F%3Elet%20RareIP%20%3D%20recentActivity%3CBR%20%2F%3E%7C%20join%20kind%3D%20leftanti%20(historicalActivity)%20on%20ClientIP%2C%20RecordType%2C%20Operation%3CBR%20%2F%3E%2F%2F%20More%20than%2050%20downloads%2Fuploads%20from%20a%20new%20IP%3CBR%20%2F%3E%7C%20where%20recentCount%20%26gt%3B%20threshold%3B%3CBR%20%2F%3EOfficeActivity%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(endtime)%3CBR%20%2F%3E%7C%20where%20RecordType%20%3D~%20szSharePointFileOperation%3CBR%20%2F%3E%7C%20where%20Operation%20in~%20(szOperations)%3CBR%20%2F%3E%7C%20join%20kind%3D%20inner%20(RareIP)%20on%20ClientIP%2C%20RecordType%2C%20Operation%3CBR%20%2F%3E%7C%20where%20Start_Time%20between(min_Start_Time%20..%20max_Start_Time)%3CBR%20%2F%3E%7C%20summarize%20StartTimeUtc%20%3D%20min(min_Start_Time)%2C%20EndTimeUtc%20%3D%20max(max_Start_Time)%3CBR%20%2F%3Eby%3CBR%20%2F%3ERecordType%2C%3CBR%20%2F%3EOperation%2C%3CBR%20%2F%3EUserType%2C%3CBR%20%2F%3EUserId%2C%3CBR%20%2F%3EClientIP%2C%3CBR%20%2F%3EOfficeWorkload%2C%3CBR%20%2F%3ESite_Url%2C%3CBR%20%2F%3EOfficeObjectId%2C%3CBR%20%2F%3EUserAgent%2C%3CBR%20%2F%3EIPSeenCount%20%3D%20recentCount%3CBR%20%2F%3E%7C%20extend%3CBR%20%2F%3Etimestamp%20%3D%20StartTimeUtc%2C%3CBR%20%2F%3EAccountCustomEntity%20%3D%20UserId%2C%3CBR%20%2F%3EIPCustomEntity%20%3D%20ClientIP%2C%3CBR%20%2F%3EURLCustomEntity%20%3D%20Site_Url%3CBR%20%2F%3E%7C%20order%20by%20IPSeenCount%20desc%2C%20ClientIP%20asc%2C%20Operation%20asc%2C%20UserId%20asc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

When reviewing Incidents such as SharePointFileOperation via devices with previously unseen user agents and then clicking Events, the query returns colums including URLCustomEntity / Site_URL which show the SharePoint Online site and OfficeObjectID which lists the file accessed on that site.

 

As the URLs may be cryptic to the security teams, is there any way we can include the "Firendly name" pr title of the site in the query that is returned? e.g. if the site is https://wingtiptoys.sharepoint.com/PRJ996

And the site is named "Northwind Model Platform"  can we see "Northwind Model Platform" in the results table.

 

The query used is:

// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert.
set query_now = datetime(2021-11-17T08:59:14.8623880Z);
let threshold = 50;
let szSharePointFileOperation = "SharePointFileOperation";
let szOperations = dynamic(["FileDownloaded", "FileUploaded"]);
let starttime = 14d;
let endtime = 1d;
let historicalActivity =
OfficeActivity
| where TimeGenerated between(ago(starttime) .. ago(endtime))
| where RecordType =~ szSharePointFileOperation
| where Operation in~ (szOperations)
| summarize historicalCount = count() by ClientIP, RecordType, Operation;
let recentActivity = OfficeActivity
| where TimeGenerated > ago(endtime)
| where RecordType =~ szSharePointFileOperation
| where Operation in~ (szOperations)
| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;
let RareIP = recentActivity
| join kind= leftanti (historicalActivity) on ClientIP, RecordType, Operation
// More than 50 downloads/uploads from a new IP
| where recentCount > threshold;
OfficeActivity
| where TimeGenerated >= ago(endtime)
| where RecordType =~ szSharePointFileOperation
| where Operation in~ (szOperations)
| join kind= inner (RareIP) on ClientIP, RecordType, Operation
| where Start_Time between(min_Start_Time .. max_Start_Time)
| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time)
by
RecordType,
Operation,
UserType,
UserId,
ClientIP,
OfficeWorkload,
Site_Url,
OfficeObjectId,
UserAgent,
IPSeenCount = recentCount
| extend
timestamp = StartTimeUtc,
AccountCustomEntity = UserId,
IPCustomEntity = ClientIP,
URLCustomEntity = Site_Url
| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc

 

0 Replies