Sharepoint downloads from previously unseen IP address
Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.
Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses exceeds a threshold (default is 100).
Elevation of Privilege
MITRE ATT&CK Tactics
New corporate devices
1. Review user accounts and endpoints which downloaded from Sharepoint.
2. Determine if these actions were legitimate.
3. If confirm as being a not legitimate transaction, consider changing the user account password
4. Perform an investigation in Azure Sentinel for the same entities - user account and source IP address