Raccogli i log di Microsoft 365
Questo documento descrive come puoi raccogliere i log di Microsoft 365 configurando un feed Chronicle e come vengono mappati i campi di Chronicle Unified Data Model (UDM). Nel documento sono elencate anche le attività controllate supportate e la versione di Microsoft 365 supportata.
Per una panoramica dell'importazione dei dati in Chronicle, vedi Importazione dei dati in Chronicle.
Panoramica
Il seguente diagramma dell'architettura di deployment mostra come sono configurati i feed Microsoft 365 e Chronicle per inviare i log a Chronicle. Il deployment di ogni cliente potrebbe differire da questa rappresentazione e potrebbe essere più complesso.
Il diagramma dell'architettura mostra i seguenti componenti:
Microsoft 365 Il servizio Microsoft 365 da cui raccogli i log.
Feed Chronicle. Il feed Chronicle che recupera i log da Microsoft 365 e scrive i log in Chronicle.
Chronicle. Chronicle conserva e analizza i log di Microsoft 365.
Un'etichetta di importazione identifica l'analizzatore sintattico che normalizza i dati di log non elaborati in formato UDM strutturato. Le informazioni contenute in questo documento si applicano all'analizzatore sintattico
con l'etichetta di importazione OFFICE_365.
Prima di iniziare
Utilizza Microsoft 365 versione 2204 Build 16.0.15128.20248 o successiva e verifica di avere un abbonamento a Microsoft 365 Enterprise E5 con funzionalità Microsoft Security and Compliance Center.
Concedi all'utente i privilegi e le autorizzazioni richiesti per generare ed esportare eventi diversi per tutti i prodotti Microsoft supportati. Per un esempio di autorizzazione, vedi Autorizzazioni per accedere alle API di gestione
Configurare Microsoft 365 per la ricerca e l'esportazione dei log. Microsoft Azure Active Directory (Azure AD) è il servizio di directory per Microsoft 365. Sono necessarie fino a 24 ore per generare i log. Per saperne di più, vedi Eseguire una ricerca nel log di controllo
Assicurati che tutti i sistemi nell'architettura di deployment siano configurati nel fuso orario UTC.
Rivedi le attività e i prodotti supportati dall'analizzatore sintattico di Chronicle. Nella tabella seguente sono elencate le attività e i prodotti supportati dall'analizzatore sintattico di Chronicle:
Attività Prodotti Attività di file e pagine SharePoint Online e OneDrive for Business Attività cartella SharePoint Online e OneDrive for Business SharePoint list lists (Attività di elenco di SharePoint) SharePoint Online Attività di richiesta di condivisione e accesso SharePoint Online e OneDrive for Business Attività di sincronizzazione SharePoint Online e OneDrive for Business Attività relative alle autorizzazioni dei siti SharePoint Online Attività di amministrazione del sito SharePoint Online Attività della casella di posta di Exchange Caselle di posta Microsoft 365 Group Attività di amministrazione degli utenti Centro di amministrazione Microsoft 365 Attività di amministrazione del gruppo Azure AD Centro di amministrazione Microsoft 365 Attività di amministrazione delle applicazioni Quando un amministratore aggiunge o modifica un'applicazione registrata in Azure AD Attività di amministrazione dei ruoli Centro di amministrazione Microsoft 365 Attività di amministrazione della directory Centro di amministrazione Microsoft 365 Attività BI avanzate Logo Power BI Attività di Microsoft Teams Microsoft Teams Attività di Microsoft Teams Shifts Sposta l'app in Microsoft Teams Attività sanitarie di Microsoft Teams Applicazione per i pazienti in Microsoft Teams Attività di Microsoft Teams Shifts Sposta l'app in Microsoft Teams Attività di Yammer Martello Attività di Microsoft Power Automation Power Automation (precedentemente chiamato Microsoft Flow) Attività di Microsoft PowerApps App di potenza Attività di Microsoft Stream Microsoft Stream Mettere in quarantena le attività. Mettere in quarantena i messaggi email in Office 365 Attività di Moduli Microsoft Microsoft Teams Attività etichetta di sensibilità Attività di etichettatura per SharePoint Online e Teams Norme relative alla conservazione e attività delle etichette di conservazione NA Briefing delle attività email Email sulla rassegna stampa Attività di MyAnalytics Analytics Attività di barriera dell'informazione NA Attività di revisione della disposizione NA Attività di conformità delle comunicazioni NA Attività non definita NA
Configurare un feed in Chronicle per importare i log di Microsoft 365
- Vai alle impostazioni di Chronicle e fai clic su Feed.
- Fai clic su Aggiungi nuovo.
- Seleziona API di terze parti per Tipo di origine.
- Seleziona Office 365 in Tipo di log.
- Fai clic su Next (Avanti).
- In base alla configurazione di Microsoft 365, specifica i dettagli di ID client OAuth, Client secret OAuth e ID tenant.
- Seleziona il Tipo di contenuti per cui stai creando questo feed. Devi creare un feed separato per ogni tipo di contenuto richiesto.
- Fai clic su Next (Avanti), quindi su Submit (Invia).
Per scoprire di più sui feed di Chronicle, consulta la documentazione relativa ai feed di Chronicle.
Riferimento per la mappatura dei campi
Questa sezione spiega in che modo l'analizzatore sintattico di Chronicle mappa i campi di log di Microsoft 365 a quelli di Chronicle Unified Data Model (UDM) per le operazioni e i carichi di lavoro supportati.
Campi comuni
Nella tabella seguente sono elencati i campi log comuni e i corrispondenti campi UDM.
| Common log field | UDM field |
|---|---|
| ID | metadata.product_log_id |
| RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
| CreationTime | metadata.event_timestamp |
| Operation | metadata.product_event_type |
| OrganizationId | principal.resource.product_object_id |
| UserType | principal.user.attribute.roles.name |
| UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
| ClientIP | principal.ip and principal.port |
| Workload | target.application |
| AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
Per informazioni di riferimento sulle mappature UDM per le operazioni supportate, consulta le sezioni seguenti:
Accesso ai file
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Fileaccessed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileAccessedExtended" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File eliminato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileDelete" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File copiato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileCopy" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File modificato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileModified" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
File scaricati
La seguente tabella elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileDownload" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| UserSessionId | network.http.session_id |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ZipFileName | principal.resource.parent |
FileModifiedExtended
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileModifiedExtended" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
File spostato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileMove" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Anteprima file
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileAnteprima" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File rinominato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileRenamed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
File caricato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileUpload" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionAllAll
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllDeleted" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
FileCheckedIn
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileCheckedIn" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | workload map with intermediary.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileCheckedOut" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | Uniquely Identify resource in site like File or Folder |
| ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | Information about the user's browser. This information is provided by the browser. |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ImpostazioneConformitàCambiata
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ComplianceSettingChanged" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| SharingType | target.labels.key/value |
Record di blocco
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "LockRecord" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Sblocca Record
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione " UnlockRecord " e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileBinFirstRecycleBin eliminato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileDeletedFirstStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileEliminatoSecondoStageRecycleBin
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileDeletedSecondStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Registrazione/eliminazione record
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "RecordDelete" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Identificazione non corrispondente del documento
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "DocumentSensitivityMismatchDetected" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Identificazione non corrispondente del documento
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "DocumentSensitivityMismatchDetected" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File CheckOut eliminato
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileCheckOutOverrideed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMinorsRecycled
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllMinorsRecycled" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllRecycled" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionRecycled
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionRecycled" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File ripristinato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileRipristinad" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareRilevato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileMalwareDetected" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| VirusInfo | security_result.threat_name |
| VirusVendor | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Query di ricerca eseguita
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SearchQueryPerform" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventData | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Visualizzato da pagina
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PageViewed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pagina precaricata
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "PagePrefetched" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSignaled
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ClientViewSignaled" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
PaginaVisualizzataEstesa
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "PageViewedExtended" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Cartella creata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella eliminata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderDelete" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella spostata
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FolderMove" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
| DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella rinominata
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FolderRenamed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella modificata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderModified" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella copiata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderCopy" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path |
| SourceRelativeUrl | src.file.full_path |
| DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella ripristinata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderRipristinad" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartella eliminata prima cartella Recycle
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FolderDeletedFirstStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Cartellaeliminata seconda fase (riciclo)
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FolderDeletedSecondStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncScaricatoCompleto
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncDownloadFull" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Sincronizzazione file scaricata
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncDownloadPartial" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncCaricatoCompleto
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncUploadFull" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Sincronizzazione file caricata parzialmente
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncUploadPartial" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ClientSync gestito consentito
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "ManagedSyncClientAllowed" e per il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_WRITTEN | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Client unManagedSync bloccato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "UnmanagedSyncClientBlock" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Aggiunto al Gruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AddedToGroup" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.group.group_display_name |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Aggiunto gruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupAdded" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Gruppo rimosso
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupRemoved" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebRequestAccessModified
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "WebRequestAccessModified" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
I membri del Web possono condividere le modifiche
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "WebMembersCanShareModified" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| version | metadata.product_version |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Livello di autorizzazione modificato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelModified" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
| version | metadata.product_version |
| WebID | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminAggiunto
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SiteCollectionAdminAdded" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Amministrazione SiteSite rimossa
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SiteCollectionAdminRemoved" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| AssertingApplicationId | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Livello di autorizzazione rimosso
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelRemoved" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
RimossoDaGruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "RemovedFromGroup" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.group.group_display_name |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Gruppo aggiornato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupUpdated" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.referral_url |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Progetto controllato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "ProjectCheckedOut" e il carico di lavoro "Project":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
Accessi dal progetto
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "ProjectAccessed" e il carico di lavoro "Project":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
Condivisione Ereditarietà non funzionante
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SharedInheritanceBroken" e il carico di lavoro "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
Link aggiunto a Secure
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AddedToSecureLink" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| UniqueSharingId | target.labels.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ApplicationDisplayName | target.application |
Link dell'azienda creato
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "CompanyLinkCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| ApplicationDisplayName | target.application |
Collegamento azienda utilizzato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CompanyLinkUsed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SecureLinkCreated
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SecureLinkCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
Invito alla condivisione creato
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SharedInviteCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkEliminato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SecureLinkDeleted" e per il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
Rimosso da SecureLink
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "RemovedFromSecureLink" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
Invito alla condivisione revocato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "CondivisioneInvitoRevocato" e per il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
Link sicuro aggiornato
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SecureLinkUpdated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUsed
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SecureLinkUsed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Condivisione revocata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneRevocata" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Set di condivisione
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "SharedSet" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Livello di autorizzazioni aggiunto
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelAdded" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
Invito alla condivisione accettato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SharedInviteAccepted" e per il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Added to Group is mapped to target.resource.name |
Invito alla condivisione bloccato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneInvitoBloccato" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | security_result.summary
Reason is mapped to security_result.summary |
Richiesta di accesso creata
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
Link creato anonimo
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "AnaLinkLinkCreated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
Richiesta di accesso aggiornata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestUpdated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| ModifiedProperties | target.labels.key/value |
Link dell'azienda rimosso
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "CompanyLinkRemoved" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
Richiesta di accesso approvata
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestApprovate" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
Rimosso link anonimo
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AnaLinkLinkRemoved" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| MachineId | target.asset.product_object_id |
Link anonimo aggiornato
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AnaLinkLinkUpdated" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
Invito alla condivisione aggiornato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneInvitoAggiornato" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_ACCESS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Link anonimo utilizzato
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AnaLinkLinkUsed" e il carico di lavoro "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi gruppo
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi gruppo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi membro al gruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi membro al gruppo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else map about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi utente
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi utente" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Cambia la licenza utente.
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Cambia licenza utente" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Cambiare la password utente
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Cambia password utente" e per il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Elimina gruppo
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina gruppo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Rimuovi membro dal gruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi membro dal gruppo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Elimina utente
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Eliminazione utente" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success Action is set to ALLOW security_result.summary is User updated successfully ResultStatus is Failure Action is set to BLOCK security_result.summary is User update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiorna utente
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update user" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiornamento gruppo
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update group" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description |
Accesso eseguito dall'utente
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "UserLoggedIn" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
Accesso utente non riuscito
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "UserLoginFailed" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiorna StsRefreshTokenValidFrom Timestamp
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Update StsRefreshTokenValidFrom Timestamp" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiorna dispositivo
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update device" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Configura le impostazioni di federazione sul dominio
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Set Federation settings on domain" (Imposta impostazioni di federazione sul dominio) e per il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Verifica dominio
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Verifica dominio" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Imposta le informazioni sulla società
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Set Company Information" (Imposta informazioni aziendali) e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Reimposta password utente
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Reimposta password utente" e per il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Disabilita account
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Disabilita account" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Elimina la password dell'applicazione per l'utente
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina la password dell'applicazione per l'utente" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Elimina dispositivo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina dispositivo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi utenti registrati al dispositivo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi utenti registrati al dispositivo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi proprietario registrato al dispositivo
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Aggiungi proprietario registrato al dispositivo" e carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi proprietario al gruppo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi proprietario al gruppo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi OAuth2PermissionGrant
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Add OAuth2PermissionGrant" e per il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi dispositivo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi dispositivo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi concessione assegnazione ruolo app all'utente
Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi concessione assegnazione app a utente" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Consenso alla domanda
Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Consenso all'applicazione" e carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiorna entità servizio
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Update entità entità" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi entità di servizio
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi entità servizio" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Rimuovi entità di servizio
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi entità servizio" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Aggiungi membro al ruolo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi membro al ruolo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Added a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Added a user to an admin role failed ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Rimuovi membro dal ruolo
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi membro dal ruolo" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Aggiungi etichetta
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi etichetta" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is set to target.resource.product_object_id |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Crea società
La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Crea società" e il carico di lavoro "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
ObjectId is set to target.resource.product_object_id |