Sharepoint File Messages | LogRhythm Documentation

Vendor Documentation

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference

Classification

Rule Name	Rule Type	Common Event	Classification
Sharepoint File Messages	Base Rule	General File Monitoring Event	Other Audit
Access Delegation	Sub Rule	Credential Delegation Disallowed	Other Audit Failure
Access Invitation : Accepted	Sub Rule	Client Accepted	Other Audit Success
Access Invitation : Created	Sub Rule	Object Created	Access Success
Access Invitation : Expired	Sub Rule	Certificate Expired	Warning
Access Invitation : Revoked	Sub Rule	Access Revoked Activity	Access Revoked
Access Invitation : Updated	Sub Rule	Content Successfully Updated	Information
Access Request : Approved	Sub Rule	Request Approved	Other Audit Success
Access Request : Created	Sub Rule	Request Received	Other Audit Success
Access Request : Expired	Sub Rule	Expired	Information
Access Request : Rejected	Sub Rule	Connection Rejected	Information
Activation Enabled	Sub Rule	Activate	Information
Administrator Added	Sub Rule	Account Added to Group	Access Granted
Administrator Deleted	Sub Rule	User Account Deleted	Account Deleted
Allow Group Creation Set	Sub Rule	Group Created	Account Created
App Catalog : Created	Sub Rule	Group Created	Account Created
Audit Policy : Removed	Sub Rule	Policy Disabled : Auditing	Policy
Audit Policy : Updated	Sub Rule	Policy Modified : Auditing	Policy
Azure Streaming : Enabled Set	Sub Rule	Configuration Saved	Information
Collaboration Type : Modified	Sub Rule	Configuration Loaded : System	Configuration
Comment Created	Sub Rule	Object Created	Access Success
Comment Deleted	Sub Rule	Object Deleted/Removed	Access Success
Create SSO Application	Sub Rule	Object Created	Access Success
Customize Exempt Users	Sub Rule	Privilege Granted	Access Granted
Default Language : Changed	Sub Rule	Configuration Loaded : System	Configuration
Delete SSO Application	Sub Rule	Object Deleted/Removed	Access Success
Documents Results	Sub Rule	Object Accessed	Access Success
Exempt User : Agent Set	Sub Rule	Privilege Granted	Access Granted
External Sharing	Sub Rule	Object Downloaded	Access Success
File Check Out Discarded	Sub Rule	Object Deleted/Removed	Access Success
File Checked In	Sub Rule	Object Initialized	Access Success
File Checked Out	Sub Rule	Object Moved	Access Success
File Copied	Sub Rule	Object Accessed	Access Success
File Deleted	Sub Rule	Object Deleted/Removed	Access Success
File Downloaded	Sub Rule	Object Accessed	Access Success
File Fetched	Sub Rule	Object Accessed	Access Success
File Modified	Sub Rule	Object Modified	Access Success
File Moved	Sub Rule	Object Moved	Access Success
File Renamed	Sub Rule	Object Renamed	Access Success
File Restored	Sub Rule	Object Created	Access Success
File Uploaded	Sub Rule	Object Initialized	Access Success
File Viewed	Sub Rule	Object Accessed	Access Success
Global Exp Setting : Set	Sub Rule	Configuration Modified : System	Configuration
Group Added	Sub Rule	Group Created	Account Created
Group Removed	Sub Rule	Group Deleted	Account Deleted
Group Updated	Sub Rule	Group Name Modified	Account Modified
Host Site : Set	Sub Rule	Configuration Enabled : Network Access	Configuration
IRM Enabled : Set	Sub Rule	Configuration Enabled : System	Configuration
Language Added	Sub Rule	Object Added	Access Success
Language Removed	Sub Rule	Object Deleted/Removed	Access Success
Legacy Workflow Enabled : Set	Sub Rule	Configuration Enabled : System	Configuration
Max Quota : Modified	Sub Rule	Object Modified	Access Success
Max Resource Usage	Sub Rule	Email Handling Message	Information
Migrate O14 Activities Enabled : Set	Sub Rule	Configuration Enabled : Directory Services	Configuration
MySite Micro Blog Emails Enabled : Set	Sub Rule	Configuration Enabled : Network Access	Configuration
MySite Public Enabled : Set	Sub Rule	Configuration Enabled : Network Access	Configuration
News Feed Enabled : Set	Sub Rule	Configuration Enabled : Network Access	Configuration
Office on Demand : Set	Sub Rule	Configuration Enabled : Network Access	Configuration
People Results	Sub Rule	Email Handling Message	Information
Preview Mode : Enabled Set	Sub Rule	Configuration Loaded : Application	Configuration
Quota Warning	Sub Rule	Buffer Manager Warning	Warning
Rendering : Enabled	Sub Rule	Configuration Enabled : System	Configuration
Resource Warning	Sub Rule	Buffer Manager Warning	Warning
SSO Group : Credentials Set	Sub Rule	Configuration Enabled : Network Access	Configuration
SSO User : Credentials Set	Sub Rule	Auth Configuration Value Set to Specified Value	Information
Search : Center Url Set	Sub Rule	Configuration Enabled : System	Configuration
Secondary MySite Owner Set	Sub Rule	Configuration Disabled : Network Access	Configuration
Send to Connection : Added	Sub Rule	Object Added	Access Success
Send to Connection : Removed	Sub Rule	Object Deleted/Removed	Access Success
Shared : Link Created	Sub Rule	Object Created	Access Success
Shared : Link Disabled	Sub Rule	Object Deleted/Removed	Access Success
Sharing : Revoked	Sub Rule	Object Deleted/Removed	Access Success
Sharing : Set	Sub Rule	Configuration Saved	Information
Site : Admin Change Request	Sub Rule	Account Added to Group	Access Granted
Site : Collection Admin Added	Sub Rule	Account Added to Group	Access Granted
Site : Collection Created	Sub Rule	Account Added to Group	Access Granted
Site : Permissions Modified	Sub Rule	User Account Attribute Modified	Account Modified
Site : Renamed	Sub Rule	Object Renamed	Access Success
Sync : Get Changes	Sub Rule	Object Accessed	Access Success
Update SSO Application	Sub Rule	Email Handling Message	Information
User Added to Group	Sub Rule	Account Added to Group	Access Granted
User Removed from Group	Sub Rule	User Account Deleted	Account Deleted
eDiscovery : Hold Applied	Sub Rule	Threshold Set	Information
eDiscovery : Hold Removed	Sub Rule	Config Changed on Interface	Information
eDiscovery Search : Performed	Sub Rule	Search Request Sent	Information
Unmanaged Sync : Client Blocked	Sub Rule	Access Blocked	Information
Managed Sync : Client Allowed	Sub Rule	Account Added to Group	Access Granted
File Accessed	Sub Rule	Object Accessed	Access Success
Added to Group	Sub Rule	Privilege Granted	Access Granted
Anonymous Link Created	Sub Rule	Access Granted Activity	Access Granted
Anonymous Link Used	Sub Rule	Object Accessed	Access Success
Folder Modified	Sub Rule	Object Modified	Access Success
Removed from Group	Sub Rule	Access Revoked Activity	Access Revoked

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
TS	N/A	N/A	N/A
SESSID	<session>	Text/String	Session information
COMMAND	<command>	Text/String	Command name
USERTYPE	<tag1>	Text/String	Type of user
USERKEY	N/A	N/A	User key information hexadecimal value
WORKLOAD	<process> <vendorinfo>	Text/String	Audit log record type
RESULTCODE	N/A	N/A	Results
OBJECT	<object>	Text/String	Object name
USER	<login> <domain>	Text/String	Source user name
SIP	<sip>	IP Address	Source IP address
OBJECTNAME	N/A	N/A	Object name
PARAMETERS	N/A	N/A	Parameters format
MODIFIEDPROPERTIES	N/A	N/A	Properties
EXTERNALACCESS	N/A	N/A	Access information
ORIGINATINGSERVER	N/A	N/A	Device name origin
ORGANIZATIONNAME	N/A	N/A	Origin domain name
LOGONTYPE	N/A	N/A	Type of logon
MAILBOXOWNER	N/A	N/A	Mail box owner information
MAILBOXMASTER	N/A	N/A	Mail box master information
LOGONUSERSID	N/A	N/A	User SID information
LOGONUSERDISPLAYNAME	N/A	N/A	Logon user display name
USERAGENT	<useragent>	Text/String	User agent
CLIENTIPADDRESS	N/A	N/A	Client IP address information
CLIENTPROCESSNAME	N/A	N/A	Origin client process name
CLIENTVERSION	N/A	N/A	Version information
DOMAIN	N/A	N/A	N/A
FILENAME	<objectname>	Text/String	File information
DESTINATION	N/A	N/A	N/A
DESTINATIONFILENAME	N/A	N/A	N/A
USERSHAREDWITH	<account>	Text/String	Impacted user information
SHARINGTYPE	<group>	Text/String	Sharing information type
EventData=<Added to group>	<sessiontype>	Text/String	N/A
EventData=<Permissions granted>	<action>	Text/String	N/A
MODIFIEDPROPERTIES	N/A	N/A	Properties