Managed Sentinel – Alert 138

Alert IDMS-A138
Alert NameSharepoint downloads from previously unseen IP address
DescriptionShows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.

Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses exceeds a threshold (default is 100).
Severity LevelLow
Threat IndicatorElevation of Privilege
MITRE ATT&CK TacticsExecution
Lateral Movement
Collection
Log sourcesOffice 365
False PositiveNew corporate devices
Recommendations1. Review user accounts and endpoints which downloaded from Sharepoint.
2. Determine if these actions were legitimate.
3. If confirm as being a not legitimate transaction, consider changing the user account password
4. Perform an investigation in Azure Sentinel for the same entities - user account and source IP address