OneDrive Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| OneDrive Messages | Base Rule | General File Monitoring Event | Other Audit |
| WAC Token Shared | Sub Rule | General Authentication Event | Other Audit |
| Shared File, Folder, or Site | Sub Rule | Object Added | Access Success |
| File Uploaded | Sub Rule | Object Added | Access Success |
| File Sync Uploaded Full | Sub Rule | Object Added | Access Success |
| File Sync Downloaded Partial | Sub Rule | Object Added | Access Success |
| File Sync Downloaded Full | Sub Rule | Object Added | Access Success |
| File Renamed | Sub Rule | Object Renamed | Access Success |
| File Previewed | Sub Rule | Object Read | Access Success |
| File Moved | Sub Rule | Object Moved | Access Success |
| File Modified | Sub Rule | Object Modified | Access Success |
| File Downloaded | Sub Rule | Object Added | Access Success |
| File Deleted | Sub Rule | Object Deleted/Removed | Access Success |
| File Accessed | Sub Rule | Object Accessed | Access Success |
| Company Link Used | Sub Rule | Object Accessed | Access Success |
| Company Link Created | Sub Rule | Object Created | Access Success |
| Added to Group | Sub Rule | Privilege Granted | Access Granted |
| Access Request Created | Sub Rule | Request Received | Other Audit Success |
| Access Request Approved | Sub Rule | Privilege Granted | Access Granted |
| Anonymous Link Created | Sub Rule | Access Granted Activity | Access Granted |
| Anonymous Link Removed | Sub Rule | Access Revoked Activity | Access Revoked |
| Anonymous Link Updated | Sub Rule | Object Modified | Access Success |
| Anonymous Link Used | Sub Rule | Object Accessed | Access Success |
| Company Link Removed | Sub Rule | Access Revoked Activity | Access Revoked |
| File Copied | Sub Rule | Object Accessed | Access Success |
| Folder Modified | Sub Rule | Object Modified | Access Success |
| Removed From Site Collection | Sub Rule | Access Revoked Activity | Access Revoked |
| Sharing Invitation Created | Sub Rule | Access Granted Activity | Access Granted |
| Sharing Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| TS | N/A | N/A | N/A |
| SESSID | N/A | N/A | Session information |
| COMMAND | <command> | Text/String | Command name |
| USERTYPE | N/A | N/A | Type of user |
| USERKEY | <session> | Text/String | User key informations hexadecimal value |
| WORKLOAD | <process> <vendorinfo> | Text/String | Audit log record type |
| RESULTCODE | <tag1> | Text/String | Result |
| OBJECT | <object> | Text/String | Object name |
| USER | <login> <domain> | Text/String | Source user name |
| SIP | <sip> | IP Address | Source IP address |
| ITEMTYPE | <objectname> | Text/String | N/A |
| EVENTSOURCE | <subject> | Text/String | N/A |
| USERAGENT | <useragent> | Text/String | N/A |
| DOMAIN | N/A | N/A | N/A |
| FILENAME | N/A | N/A | N/A |
| DESTINATION | N/A | N/A | N/A |
| DESTINATIONFILENAME | N/A | N/A | N/A |
| USERSHAREDWITH | <account> | Text/String | N/A |
| SHARINGTYPE | N/A | N/A | N/A |
| EventData | N/A | N/A | N/A |
| MODIFIEDPROPERTIES | N/A | N/A | N/A |