Managed Sentinel – Alert 094

Alert IDMS-A094
Alert NameSharepoint downloads from previously unseen IP address
DescriptionShows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
Source: Github - Microsoft
Severity LevelInformational
Threat IndicatorElevation of Privilege
MITRE ATT&CK TacticsExfiltration
Log sourcesOffice 365
False PositiveNew corporate devices
RecommendationsReview user accounts and endpoints which downloaded from Sharepoint. Determine if these actions were legitimate.