Sharepoint downloads from previously unseen IP address
Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
Source: Github - Microsoft
Elevation of Privilege
MITRE ATT&CK Tactics
New corporate devices
Review user accounts and endpoints which downloaded from Sharepoint. Determine if these actions were legitimate.