Managed Sentinel – Alert 093

Alert IDMS-A093
Alert NameSharepoint downloads from devices associated with previously unseen user agents
DescriptionTracking via user agent is one way to differentiate between types of connecting device. In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorElevation of Privilege
MITRE ATT&CK TacticsExfiltration
Log sourcesOffice 365
False PositiveNew hires
RecommendationsReview user accounts and endpoints which downloaded from Sharepoint. Determine if these actions were legitimate.