Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
OneDrive Messages |
Base Rule |
General File Monitoring Event |
Other Audit |
|
WAC Token Shared |
Sub Rule |
General Authentication Event |
Other Audit |
|
Shared File, Folder, or Site |
Sub Rule |
Object Added |
Access Success |
|
File Uploaded |
Sub Rule |
Object Added |
Access Success |
|
File Sync Uploaded Full |
Sub Rule |
Object Added |
Access Success |
|
File Sync Downloaded Partial |
Sub Rule |
Object Added |
Access Success |
|
File Sync Downloaded Full |
Sub Rule |
Object Added |
Access Success |
|
File Renamed |
Sub Rule |
Object Renamed |
Access Success |
|
File Previewed |
Sub Rule |
Object Read |
Access Success |
|
File Moved |
Sub Rule |
Object Moved |
Access Success |
|
File Modified |
Sub Rule |
Object Modified |
Access Success |
|
File Downloaded |
Sub Rule |
Object Added |
Access Success |
|
File Deleted |
Sub Rule |
Object Deleted/Removed |
Access Success |
|
File Accessed |
Sub Rule |
Object Accessed |
Access Success |
|
Company Link Used |
Sub Rule |
Object Accessed |
Access Success |
|
Company Link Created |
Sub Rule |
Object Created |
Access Success |
|
Added to Group |
Sub Rule |
Privilege Granted |
Access Granted |
|
Access Request Created |
Sub Rule |
Request Received |
Other Audit Success |
|
Access Request Approved |
Sub Rule |
Privilege Granted |
Access Granted |
|
Anonymous Link Created |
Sub Rule |
Access Granted Activity |
Access Granted |
|
Anonymous Link Removed |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
Anonymous Link Updated |
Sub Rule |
Object Modified |
Access Success |
|
Anonymous Link Used |
Sub Rule |
Object Accessed |
Access Success |
|
Company Link Removed |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
File Copied |
Sub Rule |
Object Accessed |
Access Success |
|
Folder Modified |
Sub Rule |
Object Modified |
Access Success |
|
Removed From Site Collection |
Sub Rule |
Access Revoked Activity |
Access Revoked |
|
Sharing Invitation Created |
Sub Rule |
Access Granted Activity |
Access Granted |
|
Sharing Revoked |
Sub Rule |
Access Revoked Activity |
Access Revoked |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
TS |
N/A |
N/A |
N/A |
|
SESSID |
N/A |
N/A |
Session information |
|
COMMAND |
<command> |
Text/String |
Command name |
|
USERTYPE |
N/A |
N/A |
Type of user |
|
USERKEY |
<session> |
Text/String |
User key informations hexadecimal value |
|
WORKLOAD |
<process> <vendorinfo> |
Text/String |
Audit log record type |
|
RESULTCODE |
<tag1> |
Text/String |
Result |
|
OBJECT |
<object> |
Text/String |
Object name |
|
USER |
<login> <domain> |
Text/String |
Source user name |
|
SIP |
<sip> |
IP Address |
Source IP address |
|
ITEMTYPE |
<objectname> |
Text/String |
N/A |
|
EVENTSOURCE |
<subject> |
Text/String |
N/A |
|
USERAGENT |
<useragent> |
Text/String |
N/A |
|
DOMAIN |
N/A |
N/A |
N/A |
|
FILENAME |
N/A |
N/A |
N/A |
|
DESTINATION |
N/A |
N/A |
N/A |
|
DESTINATIONFILENAME |
N/A |
N/A |
N/A |
|
USERSHAREDWITH |
<account> |
Text/String |
N/A |
|
SHARINGTYPE |
N/A |
N/A |
N/A |
|
EventData |
N/A |
N/A |
N/A |
|
MODIFIEDPROPERTIES |
N/A |
N/A |
N/A |