Managed Sentinel – Alert 138
| Alert ID | MS-A138 |
| Alert Name | Sharepoint downloads from previously unseen IP address |
| Description | Shows volume of documents uploaded to or downloaded from Sharepoint by new IP addresses. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration. Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses exceeds a threshold (default is 100). |
| Severity Level | Low |
| Threat Indicator | Elevation of Privilege |
| MITRE ATT&CK Tactics | Execution Lateral Movement Collection |
| Log sources | Office 365 |
| False Positive | New corporate devices |
| Recommendations | 1. Review user accounts and endpoints which downloaded from Sharepoint. 2. Determine if these actions were legitimate. 3. If confirm as being a not legitimate transaction, consider changing the user account password 4. Perform an investigation in Azure Sentinel for the same entities - user account and source IP address |