Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Exchange Email Messages |
Base Rule |
General Email Handling Message |
Information |
|
Added Mailbox Permission |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Enabled Address List Paging |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Enabled Mailbox |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Installed Admin Config |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
Installed Data Config |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
Installed Default Policy |
Sub Rule |
Configuration Deleted : Application |
Configuration |
|
Installed Resource Config |
Sub Rule |
Policy Enabled : Object |
Policy |
|
New Exchange Config |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
Set Admin Config |
Sub Rule |
Configuration Loaded : Network Access |
Configuration |
|
Set Exchange Config |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Set Mailbox |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Set Owa Policy |
Sub Rule |
Configuration Enabled : Application |
Configuration |
|
Set Recipient Policy |
Sub Rule |
Policy Enabled : User/Password |
Policy |
|
Set Tenant Version |
Sub Rule |
Policy Enabled : Auditing |
Policy |
|
Set Transport Config |
Sub Rule |
Configuration Enabled : System |
Configuration |
|
Add Recipient Permission |
Sub Rule |
Privilege Granted |
Access Granted |
|
Add Role Group Member |
Sub Rule |
Privilege Granted |
Access Granted |
|
Mailbox Folder Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
New Mailbox Search |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
New Mailbox Created |
Sub Rule |
Configuration Enabled : Directory Services |
Configuration |
|
New Mail Contact |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
Cancel Folder Move Request |
Sub Rule |
Configuration Disabled : Database |
Configuration |
|
Remove Unified Group |
Sub Rule |
Group Deleted |
Account Deleted |
|
Send on Behalf |
Sub Rule |
Email Message Sent |
Information |
|
Set Contact |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
Mailbox Search Modified |
Sub Rule |
Configuration Modified : Directory Services |
Configuration |
|
Unified Group Modified |
Sub Rule |
Group Attribute Modified |
Account Modified |
|
Unified Group Added |
Sub Rule |
Group Created |
Account Created |
|
User Added to Group |
Sub Rule |
Privilege Granted |
Access Granted |
|
Mailbox Login |
Sub Rule |
User Logon |
Authentication Success |
|
User Account Modified |
Sub Rule |
User Account Attribute Modified |
Account Modified |
|
Email Marked for Deletion |
Sub Rule |
Email Deleted |
Information |
|
Email Deleted |
Sub Rule |
Email Deleted |
Information |
|
User Granted SendAs Permissions |
Sub Rule |
Privilege Granted |
Access Granted |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
TS |
N/A |
N/A |
N/A |
|
SESSID |
<session> |
Text/String |
Session information |
|
COMMAND |
<command> |
Text/String |
Command name |
|
USERTYPE |
N/A |
N/A |
Type of user |
|
USERKEY |
N/A |
N/A |
User key informations hexadecimal value |
|
WORKLOAD |
<process> <vendorinfo> |
Text/String |
Audit log record type |
|
RESULTCODE |
<result> |
Text/String |
Results |
|
OBJECT |
<object> |
Text/String |
Object name |
|
USER |
<login>
|
Text/String |
Source user name |
|
SIP |
N/A |
N/A |
Source IP address |
|
OBJECTNAME |
N/A |
N/A |
N/A |
|
PARAMETERS |
<sessiontype>
|
Text/String |
N/A |
|
MODIFIEDPROPERTIES |
N/A |
N/A |
N/A |
|
EXTERNALACCESS |
N/A |
N/A |
N/A |
|
ORIGINATINGSERVER |
<sender> |
Text/String |
N/A |
|
ORGANIZATIONNAME |
N/A |
N/A |
N/A |
|
LOGONTYPE |
<group> |
Text/String |
N/A |
|
MAILBOXOWNER |
<account> |
Text/String |
N/A |
|
MAILBOXMASTER |
N/A |
N/A |
N/A |
|
LOGONUSERSID |
N/A |
N/A |
N/A |
|
LOGONUSERDISPLAYNAME |
N/A |
N/A |
N/A |
|
USERAGENT |
<useragent> |
Text/String |
N/A |
|
CLIENTIPADDRESS |
<sipv4>
|
IP Address
Number |
N/A |
|
CLIENTPROCESSNAME |
N/A |
N/A |
N/A |
|
CLIENTVERSION |
<version> |
Number |
N/A |
|
FOLDER |
<subject> |
Text/String |
N/A |
|
CROSSMAILBOXOPERATIONS |
N/A |
N/A |
N/A |
|
DESTMAILBOX |
N/A |
N/A |
N/A |
|
DESTMAILBOXOWNER |
N/A |
N/A |
N/A |
|
DESTMAILBOXMASTER |
N/A |
N/A |
N/A |
|
DESTFOLDER |
N/A |
N/A |
N/A |
|
FOLDERS |
N/A |
N/A |
N/A |
|
AFFECTEDITEMS |
N/A |
N/A |
N/A |
|
ITEM |
<objectname> |
Text/String |
N/A |
|
ITEM |
<subject> |
Text/String |
N/A |
|
SENDASUSER |
<sender> |
Text/String |
N/A |
|
SENDONBEHALFOFUSER |
<sender> |
Text/String |
N/A |
|
"Subject":" |
N/A |
N/A |
N/A |
|
"Subject":" |
N/A |
N/A |
N/A |