IDR Query - Limit Results

rpivm · March 13, 2025, 11:23am

Hey,
I have a query that checks for SharePoint downloads - sanitised query below:

where("source_json.Workload" = "SharePoint" AND "action" = "FileDownloaded"),loose) groupby( "source_json.ObjectId")

This will trigger an alert if there are more than X amount of downloads from SharePoint over a 1 hour period.

Annoyingly, with SharePoint, it will generate multiple download logs per item thats accessed.
The query currently totals up all users downloads over X period, rather than an individual user downloads.
What i want to do is something like:
For each user, if they have downloaded more than X files, raise an alert.

I am not sure how to focus the query like this.

Any ideas?

david_smith1 · March 13, 2025, 6:39pm

You could need to add calculate(unique:filename)when grouping by user in order to establish per user filename counts.

When building your custom detection rule, you would then use the unique box in the detection rule near the bottom to include the filename key name (using filename as a placeholder as I’m not fully sure what the key name is)

David