Nov 04 2019 06:16 AM - edited Nov 04 2019 07:06 AM
Hi Experts
I have configured ''SharePointFileOperation via devices with previously unseen user agents'' in Azure sentinel, I receive a lots of alerts everyday because I have user called ''backup'' using for office 365 backup. I must exclude this user ''backup'' as an exception of the alert. How to do this exception inside the below alert ?
I have the below alert, I want to exclude the user Id ''backup'' from the alert. please support
Nov 04 2019 02:22 PM
Nov 05 2019 12:08 AM
Nov 05 2019 12:19 AM
What is in the USerID column (I assume that the user backup shows in there?), can you paste the output here?
I think I used an uppercase B, can you try a lowercase? Does the USerId startwith "backup", in that case you startswith e.g.
OfficeActivity
| where UserId startswith "backup"
| summarize by UserId
OfficeActivity
| summarize count() by UserId
Nov 05 2019 03:42 AM
Nov 05 2019 12:21 PM
As early as you can, maybe after:
OfficeActivity
| where TimeGenerated between(ago(14d)..ago(1d))
Does it start with "backup" or that it?
OfficeActivity
| where UserId !startswith "backup"
| summarize count() by UserId
Nov 05 2019 02:59 PM
To avoid the confusion of where to write that line-- Simply- Run the original query then drill into one of the results you want to exclude which is "backup" in your case. So if you have service account for it, simply click on 3 dots shown before UserID and select Exclude. This will append your query and use it.