Improve Accuracy of Default Unusual External User File Activity Alert
These alerts are supposed to be based on machine learning but MS Support has confirmed they are based on simple threshold settings. Considering acceptable actions like syncing a OneNote site notebook, performing quick edit on library metadata, or bulk dragging/dropping docs into a library, will trigger this alert... then the alert is useless.
"Unusual" file activity by an external user should include one-time attempts to access system pages such as the permissions page (/_layouts/15/user.aspx)… as well as machine-learning-based adaptive thresholds which adjust to the typical behavior of our invited external users (of whom we have a lot, resulting in tons of false-positive alerts from this default policy)...which is what these alerts were advertised to be in the first place.
Eddy Veldboer commented
Same problem here, result of this alert consist only in false positives. The severity has changed from medium* to high as well and you are not able to change it (*:when the alert was introduced).