Managed Sentinel – Alert 093
| Alert ID | MS-A093 |
| Alert Name | Sharepoint downloads from devices associated with previously unseen user agents |
| Description | Tracking via user agent is one way to differentiate between types of connecting device. In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. Source: Github - Microsoft |
| Severity Level | Informational |
| Threat Indicator | Elevation of Privilege |
| MITRE ATT&CK Tactics | Exfiltration |
| Log sources | Office 365 |
| False Positive | New hires |
| Recommendations | Review user accounts and endpoints which downloaded from Sharepoint. Determine if these actions were legitimate. |