Skip to main content
Skip table of contents

Sharepoint File Messages

Vendor Documentation


Rule NameRule TypeCommon EventClassification
Sharepoint File MessagesBase RuleGeneral File Monitoring EventOther Audit
Access DelegationSub RuleCredential Delegation DisallowedOther Audit Failure
Access Invitation : AcceptedSub RuleClient AcceptedOther Audit Success
Access Invitation : CreatedSub RuleObject CreatedAccess Success
Access Invitation : ExpiredSub RuleCertificate ExpiredWarning
Access Invitation : RevokedSub RuleAccess Revoked ActivityAccess Revoked
Access Invitation : UpdatedSub RuleContent Successfully UpdatedInformation
Access Request : ApprovedSub RuleRequest ApprovedOther Audit Success
Access Request : CreatedSub RuleRequest ReceivedOther Audit Success
Access Request : ExpiredSub RuleExpiredInformation
Access Request : RejectedSub RuleConnection RejectedInformation
Activation EnabledSub RuleActivateInformation
Administrator AddedSub RuleAccount Added to GroupAccess Granted
Administrator DeletedSub RuleUser Account DeletedAccount Deleted
Allow Group Creation SetSub RuleGroup CreatedAccount Created
App Catalog : CreatedSub RuleGroup CreatedAccount Created
Audit Policy : RemovedSub RulePolicy Disabled : AuditingPolicy
Audit Policy : UpdatedSub RulePolicy Modified : AuditingPolicy
Azure Streaming : Enabled SetSub RuleConfiguration SavedInformation
Collaboration Type : ModifiedSub RuleConfiguration Loaded : SystemConfiguration
Comment CreatedSub RuleObject CreatedAccess Success
Comment DeletedSub RuleObject Deleted/RemovedAccess Success
Create SSO ApplicationSub RuleObject CreatedAccess Success
Customize Exempt UsersSub RulePrivilege GrantedAccess Granted
Default Language : ChangedSub RuleConfiguration Loaded : SystemConfiguration
Delete SSO ApplicationSub RuleObject Deleted/RemovedAccess Success
Documents ResultsSub RuleObject AccessedAccess Success
Exempt User : Agent SetSub RulePrivilege GrantedAccess Granted
External SharingSub RuleObject DownloadedAccess Success
File Check Out DiscardedSub RuleObject Deleted/RemovedAccess Success
File Checked InSub RuleObject InitializedAccess Success
File Checked OutSub RuleObject MovedAccess Success
File CopiedSub RuleObject AccessedAccess Success
File DeletedSub RuleObject Deleted/RemovedAccess Success
File DownloadedSub RuleObject AccessedAccess Success
File FetchedSub RuleObject AccessedAccess Success
File ModifiedSub RuleObject ModifiedAccess Success
File MovedSub RuleObject MovedAccess Success
File RenamedSub RuleObject RenamedAccess Success
File RestoredSub RuleObject CreatedAccess Success
File UploadedSub RuleObject InitializedAccess Success
File ViewedSub RuleObject AccessedAccess Success
Global Exp Setting : SetSub RuleConfiguration Modified : SystemConfiguration
Group AddedSub RuleGroup CreatedAccount Created
Group RemovedSub RuleGroup DeletedAccount Deleted
Group UpdatedSub RuleGroup Name ModifiedAccount Modified
Host Site : SetSub RuleConfiguration Enabled : Network AccessConfiguration
IRM Enabled : SetSub RuleConfiguration Enabled : SystemConfiguration
Language AddedSub RuleObject AddedAccess Success
Language RemovedSub RuleObject Deleted/RemovedAccess Success
Legacy Workflow Enabled : SetSub RuleConfiguration Enabled : SystemConfiguration
Max Quota : ModifiedSub RuleObject ModifiedAccess Success
Max Resource UsageSub RuleEmail Handling MessageInformation
Migrate O14 Activities Enabled : SetSub RuleConfiguration Enabled : Directory ServicesConfiguration
MySite Micro Blog Emails Enabled : SetSub RuleConfiguration Enabled : Network AccessConfiguration
MySite Public Enabled : SetSub RuleConfiguration Enabled : Network AccessConfiguration
News Feed Enabled : SetSub RuleConfiguration Enabled : Network AccessConfiguration
Office on Demand : SetSub RuleConfiguration Enabled : Network AccessConfiguration
People ResultsSub RuleEmail Handling MessageInformation
Preview Mode : Enabled SetSub RuleConfiguration Loaded : ApplicationConfiguration
Quota WarningSub RuleBuffer Manager WarningWarning
Rendering : EnabledSub RuleConfiguration Enabled : SystemConfiguration
Resource WarningSub RuleBuffer Manager WarningWarning
SSO Group : Credentials SetSub RuleConfiguration Enabled : Network AccessConfiguration
SSO User : Credentials SetSub RuleAuth Configuration Value Set to Specified ValueInformation
Search : Center Url SetSub RuleConfiguration Enabled : SystemConfiguration
Secondary MySite Owner SetSub RuleConfiguration Disabled : Network AccessConfiguration
Send to Connection : AddedSub RuleObject AddedAccess Success
Send to Connection : RemovedSub RuleObject Deleted/RemovedAccess Success
Shared : Link CreatedSub RuleObject CreatedAccess Success
Shared : Link DisabledSub RuleObject Deleted/RemovedAccess Success
Sharing : RevokedSub RuleObject Deleted/RemovedAccess Success
Sharing : SetSub RuleConfiguration SavedInformation
Site : Admin Change RequestSub RuleAccount Added to GroupAccess Granted
Site : Collection Admin AddedSub RuleAccount Added to GroupAccess Granted
Site : Collection CreatedSub RuleAccount Added to GroupAccess Granted
Site : Permissions ModifiedSub RuleUser Account Attribute ModifiedAccount Modified
Site : RenamedSub RuleObject RenamedAccess Success
Sync : Get ChangesSub RuleObject AccessedAccess Success
Update SSO ApplicationSub RuleEmail Handling MessageInformation
User Added to GroupSub RuleAccount Added to GroupAccess Granted
User Removed from GroupSub RuleUser Account DeletedAccount Deleted
eDiscovery : Hold AppliedSub RuleThreshold SetInformation
eDiscovery : Hold RemovedSub RuleConfig Changed on InterfaceInformation
eDiscovery Search : PerformedSub RuleSearch Request SentInformation
Unmanaged Sync : Client BlockedSub RuleAccess BlockedInformation
Managed Sync : Client AllowedSub RuleAccount Added to GroupAccess Granted
File AccessedSub RuleObject AccessedAccess Success
Added to GroupSub RulePrivilege GrantedAccess Granted
Anonymous Link CreatedSub RuleAccess Granted ActivityAccess Granted
Anonymous Link UsedSub RuleObject AccessedAccess Success
Folder ModifiedSub RuleObject ModifiedAccess Success
Removed from GroupSub RuleAccess Revoked ActivityAccess Revoked

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
TSN/A  N/A N/A  
SESSID<session>Text/StringSession information
COMMAND<command>Text/StringCommand name
USERTYPE<tag1>Text/StringType of user
USERKEYN/A  N/A User key information hexadecimal value



Text/StringAudit log record type
OBJECT<object>Text/StringObject name



Text/StringSource user name
SIP<sip>IP AddressSource IP address
OBJECTNAMEN/A  N/A Object name
PARAMETERSN/A  N/A Parameters format
EXTERNALACCESSN/A N/A Access information
ORIGINATINGSERVERN/A  N/A Device name origin
ORGANIZATIONNAMEN/A  N/A Origin domain name
LOGONTYPEN/A  N/A Type of logon
MAILBOXOWNERN/A  N/A Mail box owner information
MAILBOXMASTERN/A  N/A Mail box master information
LOGONUSERSIDN/A  N/A User SID information
LOGONUSERDISPLAYNAMEN/A  N/A Logon user display name
USERAGENT<useragent>Text/StringUser agent
CLIENTIPADDRESSN/A  N/A Client IP address information
CLIENTPROCESSNAMEN/A  N/A Origin client process name
CLIENTVERSIONN/A  N/A Version information
FILENAME<objectname>Text/StringFile information
USERSHAREDWITH<account>Text/StringImpacted user information
SHARINGTYPE<group>Text/StringSharing information type
EventData=<Added to group><sessiontype>Text/StringN/A  
EventData=<Permissions granted><action>Text/StringN/A  

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.