Classification

Rule Name

Rule Type

Common Event

Classification

Catch All : Outlook MessagesBase RuleGeneral Outlook InformationOperations : Information
EVID 30 : Outlook Automatic ReconciliationSub RuleGeneral Outlook InformationInformation
EVID 32 : Outlook Catalog Checkpoint DetectedSub RuleGeneral Outlook InformationInformation
EVID 38 : Outlook Reconciliation CompletedSub RuleGeneral Outlook InformationInformation
EVID 45 : Outlook Startup EventSub RuleProcess/Service StartedStartup and Shutdown
EVID 63 : Outlook Web Service RequestSub RuleGeneral Outlook InformationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Outlook'/><EventID Qualifiers='16384'>32</EventID><Level>Information</Level><Task>None</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-11-19T01:35:20.000000000Z'/><EventRecordID>38489</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security/></System><EventData><Data>_userName,</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider Name'Outlook<venderinfo>Text/String
EventID Qualifiers32<vmid>Number
LevelInformation<severity>Text/String
computer_destinationhostname<dname>Text/String
Data_userName,<object>Text/String