Sharepoint File Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Sharepoint File Messages | Base Rule | General File Monitoring Event | Other Audit |
| Access Delegation | Sub Rule | Credential Delegation Disallowed | Other Audit Failure |
| Access Invitation : Accepted | Sub Rule | Client Accepted | Other Audit Success |
| Access Invitation : Created | Sub Rule | Object Created | Access Success |
| Access Invitation : Expired | Sub Rule | Certificate Expired | Warning |
| Access Invitation : Revoked | Sub Rule | Access Revoked Activity | Access Revoked |
| Access Invitation : Updated | Sub Rule | Content Successfully Updated | Information |
| Access Request : Approved | Sub Rule | Request Approved | Other Audit Success |
| Access Request : Created | Sub Rule | Request Received | Other Audit Success |
| Access Request : Expired | Sub Rule | Expired | Information |
| Access Request : Rejected | Sub Rule | Connection Rejected | Information |
| Activation Enabled | Sub Rule | Activate | Information |
| Administrator Added | Sub Rule | Account Added to Group | Access Granted |
| Administrator Deleted | Sub Rule | User Account Deleted | Account Deleted |
| Allow Group Creation Set | Sub Rule | Group Created | Account Created |
| App Catalog : Created | Sub Rule | Group Created | Account Created |
| Audit Policy : Removed | Sub Rule | Policy Disabled : Auditing | Policy |
| Audit Policy : Updated | Sub Rule | Policy Modified : Auditing | Policy |
| Azure Streaming : Enabled Set | Sub Rule | Configuration Saved | Information |
| Collaboration Type : Modified | Sub Rule | Configuration Loaded : System | Configuration |
| Comment Created | Sub Rule | Object Created | Access Success |
| Comment Deleted | Sub Rule | Object Deleted/Removed | Access Success |
| Create SSO Application | Sub Rule | Object Created | Access Success |
| Customize Exempt Users | Sub Rule | Privilege Granted | Access Granted |
| Default Language : Changed | Sub Rule | Configuration Loaded : System | Configuration |
| Delete SSO Application | Sub Rule | Object Deleted/Removed | Access Success |
| Documents Results | Sub Rule | Object Accessed | Access Success |
| Exempt User : Agent Set | Sub Rule | Privilege Granted | Access Granted |
| External Sharing | Sub Rule | Object Downloaded | Access Success |
| File Check Out Discarded | Sub Rule | Object Deleted/Removed | Access Success |
| File Checked In | Sub Rule | Object Initialized | Access Success |
| File Checked Out | Sub Rule | Object Moved | Access Success |
| File Copied | Sub Rule | Object Accessed | Access Success |
| File Deleted | Sub Rule | Object Deleted/Removed | Access Success |
| File Downloaded | Sub Rule | Object Accessed | Access Success |
| File Fetched | Sub Rule | Object Accessed | Access Success |
| File Modified | Sub Rule | Object Modified | Access Success |
| File Moved | Sub Rule | Object Moved | Access Success |
| File Renamed | Sub Rule | Object Renamed | Access Success |
| File Restored | Sub Rule | Object Created | Access Success |
| File Uploaded | Sub Rule | Object Initialized | Access Success |
| File Viewed | Sub Rule | Object Accessed | Access Success |
| Global Exp Setting : Set | Sub Rule | Configuration Modified : System | Configuration |
| Group Added | Sub Rule | Group Created | Account Created |
| Group Removed | Sub Rule | Group Deleted | Account Deleted |
| Group Updated | Sub Rule | Group Name Modified | Account Modified |
| Host Site : Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| IRM Enabled : Set | Sub Rule | Configuration Enabled : System | Configuration |
| Language Added | Sub Rule | Object Added | Access Success |
| Language Removed | Sub Rule | Object Deleted/Removed | Access Success |
| Legacy Workflow Enabled : Set | Sub Rule | Configuration Enabled : System | Configuration |
| Max Quota : Modified | Sub Rule | Object Modified | Access Success |
| Max Resource Usage | Sub Rule | Email Handling Message | Information |
| Migrate O14 Activities Enabled : Set | Sub Rule | Configuration Enabled : Directory Services | Configuration |
| MySite Micro Blog Emails Enabled : Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| MySite Public Enabled : Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| News Feed Enabled : Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| Office on Demand : Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| People Results | Sub Rule | Email Handling Message | Information |
| Preview Mode : Enabled Set | Sub Rule | Configuration Loaded : Application | Configuration |
| Quota Warning | Sub Rule | Buffer Manager Warning | Warning |
| Rendering : Enabled | Sub Rule | Configuration Enabled : System | Configuration |
| Resource Warning | Sub Rule | Buffer Manager Warning | Warning |
| SSO Group : Credentials Set | Sub Rule | Configuration Enabled : Network Access | Configuration |
| SSO User : Credentials Set | Sub Rule | Auth Configuration Value Set to Specified Value | Information |
| Search : Center Url Set | Sub Rule | Configuration Enabled : System | Configuration |
| Secondary MySite Owner Set | Sub Rule | Configuration Disabled : Network Access | Configuration |
| Send to Connection : Added | Sub Rule | Object Added | Access Success |
| Send to Connection : Removed | Sub Rule | Object Deleted/Removed | Access Success |
| Shared : Link Created | Sub Rule | Object Created | Access Success |
| Shared : Link Disabled | Sub Rule | Object Deleted/Removed | Access Success |
| Sharing : Revoked | Sub Rule | Object Deleted/Removed | Access Success |
| Sharing : Set | Sub Rule | Configuration Saved | Information |
| Site : Admin Change Request | Sub Rule | Account Added to Group | Access Granted |
| Site : Collection Admin Added | Sub Rule | Account Added to Group | Access Granted |
| Site : Collection Created | Sub Rule | Account Added to Group | Access Granted |
| Site : Permissions Modified | Sub Rule | User Account Attribute Modified | Account Modified |
| Site : Renamed | Sub Rule | Object Renamed | Access Success |
| Sync : Get Changes | Sub Rule | Object Accessed | Access Success |
| Update SSO Application | Sub Rule | Email Handling Message | Information |
| User Added to Group | Sub Rule | Account Added to Group | Access Granted |
| User Removed from Group | Sub Rule | User Account Deleted | Account Deleted |
| eDiscovery : Hold Applied | Sub Rule | Threshold Set | Information |
| eDiscovery : Hold Removed | Sub Rule | Config Changed on Interface | Information |
| eDiscovery Search : Performed | Sub Rule | Search Request Sent | Information |
| Unmanaged Sync : Client Blocked | Sub Rule | Access Blocked | Information |
| Managed Sync : Client Allowed | Sub Rule | Account Added to Group | Access Granted |
| File Accessed | Sub Rule | Object Accessed | Access Success |
| Added to Group | Sub Rule | Privilege Granted | Access Granted |
| Anonymous Link Created | Sub Rule | Access Granted Activity | Access Granted |
| Anonymous Link Used | Sub Rule | Object Accessed | Access Success |
| Folder Modified | Sub Rule | Object Modified | Access Success |
| Removed from Group | Sub Rule | Access Revoked Activity | Access Revoked |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| TS | N/A | N/A | N/A |
| SESSID | <session> | Text/String | Session information |
| COMMAND | <command> | Text/String | Command name |
| USERTYPE | <tag1> | Text/String | Type of user |
| USERKEY | N/A | N/A | User key information hexadecimal value |
| WORKLOAD | <process> <vendorinfo> | Text/String | Audit log record type |
| RESULTCODE | N/A | N/A | Results |
| OBJECT | <object> | Text/String | Object name |
| USER | <login> <domain> | Text/String | Source user name |
| SIP | <sip> | IP Address | Source IP address |
| OBJECTNAME | N/A | N/A | Object name |
| PARAMETERS | N/A | N/A | Parameters format |
| MODIFIEDPROPERTIES | N/A | N/A | Properties |
| EXTERNALACCESS | N/A | N/A | Access information |
| ORIGINATINGSERVER | N/A | N/A | Device name origin |
| ORGANIZATIONNAME | N/A | N/A | Origin domain name |
| LOGONTYPE | N/A | N/A | Type of logon |
| MAILBOXOWNER | N/A | N/A | Mail box owner information |
| MAILBOXMASTER | N/A | N/A | Mail box master information |
| LOGONUSERSID | N/A | N/A | User SID information |
| LOGONUSERDISPLAYNAME | N/A | N/A | Logon user display name |
| USERAGENT | <useragent> | Text/String | User agent |
| CLIENTIPADDRESS | N/A | N/A | Client IP address information |
| CLIENTPROCESSNAME | N/A | N/A | Origin client process name |
| CLIENTVERSION | N/A | N/A | Version information |
| DOMAIN | N/A | N/A | N/A |
| FILENAME | <objectname> | Text/String | File information |
| DESTINATION | N/A | N/A | N/A |
| DESTINATIONFILENAME | N/A | N/A | N/A |
| USERSHAREDWITH | <account> | Text/String | Impacted user information |
| SHARINGTYPE | <group> | Text/String | Sharing information type |
| EventData=<Added to group> | <sessiontype> | Text/String | N/A |
| EventData=<Permissions granted> | <action> | Text/String | N/A |
| MODIFIEDPROPERTIES | N/A | N/A | Properties |