SharePointFileOperation via devices with previously unseen user agents

Occasional Contributor

Hi Experts


I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'' using for office 365 backup. I must exclude this user ''backup'' as an exception of the alert. How to do this exception inside the below alert ?


I have the below alert,  I want to exclude the user Id ''backup'' from the alert. please support


 let threshold = 10;
  let szSharePointFileOperation = "SharePointFileOperation";
  let szOperations = dynamic(["FileDownloaded""FileUploaded"]);
  let historicalActivity =
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | summarize historicalCount = count() by UserAgent;
  let recentActivity = OfficeActivity
  | where RecordType =~ szSharePointFileOperation
  | where Operation in~ (szOperations)
  | where TimeGenerated > ago(1d)
  | summarize recentCount = count() by UserAgent;
  recentActivity | join kind = leftanti (historicalActivity) on UserAgent
  | project RecordType = szSharePointFileOperation, UserAgent, recentCount
  | order by recentCount asc, UserAgent
  // More than 10 downloads/uploads from a new user agent
  | where recentCount > threshold
  | join kind = rightsemi 
  | where TimeGenerated >= ago(1d) 
  | where RecordType =~ szSharePointFileOperation 
  | where Operation in~ (szOperations)
  on UserAgent
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
  | order by UserAgent asc, Operation asc, UserId asc


6 Replies



Have you tried a line like this before the final summarize


  | where UserId !="Backup"
@Clive Waston

It did not work before the final summarize, Is there another option?



What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here? 



I think I used an uppercase B, can you try a lowercase?  Does the USerId startwith "backup", in that case you startswith e.g.

| where UserId startswith "backup" 
| summarize by UserId

| summarize count() by UserId





Yes, it starts with ''backup'' (lowercase). so where exactly I must write | where UserId !="Backup" in the script



As early as you can, maybe after:

  | where TimeGenerated between(ago(14d)..ago(1d))


Does it start with "backup" or that it?


| where UserId !startswith "backup"
| summarize count() by UserId




To avoid the confusion of where to write that line--  Simply- Run the original query then drill into  one of the results you want to exclude which is "backup" in your case. So if you have service account for it, simply click on 3 dots shown before UserID and select Exclude.  This will append your query and use it.