我试图在哨兵中做一个新的用例来提醒:同一用户从 OneDrive 或共享点下载的大量文件
我发现我试图修改但没有成功的这个用例:
let szSharePointFileOperation = "SharePointFileOperation";
let historicalActivity=
OfficeActivity
| where RecordType == szSharePointFileOperation
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(ago(30d)..ago(7d))
| summarize historicalCount=count() by UserAgent;
let recentActivity = OfficeActivity
| where RecordType == szSharePointFileOperation
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated > ago(1d)
| summarize recentCount=count() by UserAgent;
recentActivity | join kind = leftanti (
historicalActivity
) on UserAgent
| project RecordType = szSharePointFileOperation, UserAgent, recentCount
| order by recentCount asc, UserAgent
// More than 10 downloads/uploads from a new user agent
| where recentCount > 10
| join kind = rightsemi
(OfficeActivity
| where TimeGenerated >= ago(1d)
| where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded"))
on UserAgent
| summarize count() by RecordType, Operation, UserAgent, UserType, UserId, OfficeWorkload, Site_Url
| order by UserAgent asc, Operation asc, UserId asc
此用例警报仅从新用户下载,并且仅从共享点下载,我想对普通用户进行此操作,例如在 onedrive 中也下载了 20 个文件。
你可以帮帮我吗?
太感谢了!