Creating filters and models for abnormal download behavior in SharePoint and OneDrive

Views:

Learn how to create and combine filters and models to detect abnormal SharePoint and OneDrive download behavior.

For more information about creating custom filters and models, see Creating a custom filter and Configuring a custom model.
For more information about formatting filter queries, see Filter query format and Using regex in custom filters.

On the Trend Vision One console, go to XDR Threat Investigation → Detection Model Management → Custom Filters.
Click Add.
Provide a descriptive filter name.
Provide a description of the filter.
Specify the severity associated with the event.
Select MESSAGE_ACTIVITY for the event type.
Select COLLABORATION ACTIVITY for the event ID.
Type actionName: FileDownloaded for the query.
Click Save.

Your filter appears in the Custom Filters tab.
Go to XDR Threat Investigation → Detection Model Management → Custom Models.
Click Add.
Specify the model name and description.
Select High for the severity.
Select Single filter for the filter option.

Note

You can select Multiple filters or Multiple filters in sequence to add up to 5 custom filters.
Select the filter you just created in the filter name drop-down menu.
Type 5 for the threshold to indicate that 5 file download events trigger an alert.
Select User account for the event grouping.
Select 15 minutes for the frequency.
Select Last 15 minutes for the period.
Select Enable after saving for the status.
Click Save.

Your model appears in the Custom Models tab.

When the conditions of your models and filters are matched in your email and collaboration app detections, you can view the related alerts in the Workbench app.