Sharepoint downloads from devices associated with previously unseen user agents
Tracking via user agent is one way to differentiate between types of connecting device. In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.
Source: Github - Microsoft
Elevation of Privilege
MITRE ATT&CK Tactics
Review user accounts and endpoints which downloaded from Sharepoint. Determine if these actions were legitimate.