Investigation priority score increase alert

Maharishi Jaya 20 Reputation points
2023-10-16T10:39:15.4133333+00:00

Defender is alerting with "Investigation priority score increase" when a user accesses sharepoint file or downloads it for the first time. User has legitimate access to those links but has not used them earlier. Why should such an alert appear in Defender?

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,301 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,282 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 23,216 Reputation points Microsoft Employee
    2023-10-16T18:24:29.8533333+00:00

    Hi @Maharishi Jaya , the "Investigation priority score increase" alert in Microsoft Defender for Cloud is triggered when there is a significant increase in the priority score of an alert. The priority score is calculated based on the severity of the alert, the number of affected resources, and the potential impact of the alert.

    In the case of a user accessing a SharePoint file or downloading it for the first time, it is possible that the alert is triggered because this activity is considered unusual or unexpected based on the user's previous behavior. This could be due to a change in the user's role or responsibilities, or it could be due to a potential compromise of the user's account.

    However, it is also possible that the alert is a false positive and that the user's activity is legitimate. In this case, you can investigate the alert further to determine if there is any evidence of malicious activity or if the user's activity can be explained by legitimate reasons.

    To investigate the alert further, you can review the details of the alert and the associated activity logs to determine if there is any evidence of malicious activity. You can also review the user's access permissions and activity history to determine if the user's activity is consistent with their role and responsibilities.

    If you determine that the alert is a false positive, you can dismiss the alert or adjust the alert threshold to reduce the likelihood of similar alerts in the future.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful