Microsoft Apps Activity Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Microsoft Apps Activity Messages | Base Rule | General Microsoft Exchange Server Information | Information |
| PowerApps Messages | Sub Rule | Module Loaded | Other Audit Success |
| Quarantine Messages | Sub Rule | Quarantine | Activity |
| AirInvestigation Messages | Sub Rule | General Security Alert | Warning |
| CRM Messages | Sub Rule | General Microsoft CRM Information | Information |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| TS | N/A | N/A | N/A |
| SESSID | <session> | Text/String | Session information |
| COMMAND | <command> | Text/String | Command name |
| USERTYPE | <objecttype> | Text/String | Type of user |
| USERKEY | N/A | User key information | |
| WORKLOAD | <tag1> <vendorinfo> | Text/String | Audit log record type |
| RESULTCODE | <result> | Text/String | N/A |
| OBJECT | <object> | Text/String | Object name |
| USER | <login> <domainorigin> | Text/String | Source user name |
| SIP | <sip> <sport> | IP Address Number | Source IP address |
| DETAILS | N/A | N/A | N/A |
| CreationTime | N/A | N/A | N/A |
| ID | N/A | N/A | N/A |
| Operation | N/A | N/A | N/A |
| OrganizationId | N/A | N/A | N/A |
| RecordType | N/A | N/A | N/A |
| ResultStatus | N/A | N/A | N/A |
| UserKey | N/A | N/A | N/A |
| UserType | N/A | N/A | N/A |
| Version | <version> | Number | N/A |
| Workload | N/A | N/A | N/A |
| UserId | N/A | N/A | N/A |
| NetworkMessageId | N/A | N/A | N/A |
| ReleaseTo | N/A | N/A | N/A |
| RequestSource | N/A | N/A | N/A |
| RequestType | N/A | N/A | N/A |
| URL | <url> | Text/String | N/A |
| Useragent | <useragent> | Text/String | N/A |
| AppName | <objectname> | Text/String | N/A |