I'm examining O365 data in Magnet Axiom and Microsoft Security and Compliance Center. More specifically I'm looking at files downloaded from Sharepoint and trying to correlate if they were downloaded on a particular machine. The Unified Audit Log provides me with the IP address and several different ID #'s, but I'm not sure exactly what they are. Does any of these ID #'s point to a specific machine?
Can anyone recommend a best practice to correlate Sharepoint activity with a machine. I looked for web activity during the date/time of download to see if there were artifacts pointing to the download and I'm not finding anything. I'm starting to think that a different machine was used for the download, but feel that I may be missing something.
Thank you
