Coletar registros do Microsoft 365
Neste documento, descrevemos como coletar registros do Microsoft 365 configurando um feed do Chronicle e como os campos de registro são mapeados para os campos do Modelo de dados unificado (UDM, na sigla em inglês) do Chronicle. Este documento também lista as atividades auditadas e as versões compatíveis do Microsoft 365.
Para uma visão geral sobre a ingestão de dados no Chronicle, consulte Ingestão de dados no Chronicle.
Visão geral
O diagrama da arquitetura de implantação a seguir mostra como o Microsoft 365 e o feed do Chronicle são configurados para enviar registros ao Chronicle. Cada implantação do cliente pode ser diferente dessa representação e ser mais complexa.
O diagrama da arquitetura mostra os seguintes componentes:
Microsoft 365 O serviço do Microsoft 365 do qual você coleta registros.
Feed do Chronicle. O feed do Chronicle que busca registros no Microsoft 365 e grava registros no Chronicle.
Chronicle (em inglês). O Chronicle retém e analisa os registros do Microsoft 365.
Um identificador de ingestão identifica o analisador que normaliza os dados de registro brutos
no formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão OFFICE_365.
Antes de começar
Use o Microsoft 365 versão 2204 Build 16.0.15128.20248 ou mais recente e verifique se você tem uma assinatura do Microsoft 365 Enterprise E5 com o recurso da Central de segurança e conformidade da Microsoft.
Conceda os privilégios e permissões necessários ao usuário para gerar e exportar eventos diferentes para todos os produtos da Microsoft com suporte. Para um exemplo de permissão, consulte Permissões para acessar APIs de gerenciamento.
Configure o Microsoft 365 para pesquisar e exportar registros. O Microsoft Azure Active Directory (Azure AD) é o serviço de diretório do Microsoft 365. A geração dos registros leva até 24 horas. Veja mais informações em Pesquisar o registro de auditoria.
Verifique se todos os sistemas na arquitetura de implantação estão configurados no fuso horário UTC.
Revise as atividades e os produtos compatíveis com o analisador do Chronicle. A tabela a seguir lista as atividades e os produtos compatíveis com o analisador do Chronicle:
Atividades Produtos Atividades de arquivos e páginas SharePoint Online e OneDrive for Business Atividades da pasta SharePoint Online e OneDrive for Business Atividades da lista do SharePoint SharePoint Online Atividades de solicitação de compartilhamento e acesso SharePoint Online e OneDrive for Business Atividades de sincronização SharePoint Online e OneDrive for Business Atividades de permissão do site SharePoint Online Atividades de administração de local SharePoint Online Atividades da caixa de e-mails do Exchange Caixas de e-mails de grupo do Microsoft 365 Atividades de administração de usuários Central de administradores do Microsoft 365 Atividades de administração de grupos do Azure AD Central de administradores do Microsoft 365 Atividades de administração do aplicativo Quando um administrador adiciona ou altera um aplicativo registrado no Azure AD Atividades de administração de papéis Central de administradores do Microsoft 365 Atividades de administração de diretórios Central de administradores do Microsoft 365 Atividades de BI de energia Power BI Atividades do Microsoft Teams Microsoft Teams O Microsoft Teams alterna atividades Muda o app no Microsoft Teams Atividades do Microsoft Teams no Healthcare Aplicação de pacientes no Microsoft Teams O Microsoft Teams alterna atividades Muda o app no Microsoft Teams Atividades do Yammer Yammer Atividades do Microsoft Power Automate Power Automate (antigo Microsoft Flow) Atividades do Microsoft PowerApps Apps avançados Atividades do Microsoft Stream Fluxo da Microsoft Colocar em quarentena atividades Colocar mensagens de e-mail em quarentena no Office 365 Atividades no Formulários Google Microsoft Teams Atividades do marcador de sensibilidade Como marcar atividades no SharePoint Online e em equipes Política de retenção e atividades do rótulo de retenção Não relevante Atividades do e-mail de resumo E-mail de notícias Atividades do MyAnalytics MyAnalytics Atividades de barreira de informações Não relevante Atividades de revisão de disposição Não relevante Atividades de conformidade da comunicação Não relevante Atividade indefinida Não relevante
Configure um feed no Chronicle para ingerir registros do Microsoft 365
- Acesse as configurações do Chronicle e clique em Feeds.
- Clique em Adicionar novo.
- Selecione API de terceiros em Tipo de origem.
- Selecione Office 365 em Tipo de registro.
- Clique em Próxima.
- Com base na configuração do Microsoft 365, especifique os detalhes do ID do cliente OAuth, Chave secreta do cliente OAuth e ID do locatário.
- Selecione o Tipo de conteúdo para o qual você está criando esse feed. Crie um feed separado para cada tipo de conteúdo necessário.
- Clique em Próxima e em Enviar.
Para mais informações sobre feeds do Chronicle, consulte a documentação relacionada.
Referência de mapeamento de campo
Nesta seção, explicamos como o analisador do Chronicle mapeia os campos de registro do Microsoft 365 para os campos do Chronicle Unified Data Model (UDM) para as operações e cargas de trabalho compatíveis.
Campos comuns
A tabela a seguir lista os campos de registro comuns e os campos de UDM correspondentes.
| Common log field | UDM field |
|---|---|
| ID | metadata.product_log_id |
| RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
| CreationTime | metadata.event_timestamp |
| Operation | metadata.product_event_type |
| OrganizationId | principal.resource.product_object_id |
| UserType | principal.user.attribute.roles.name |
| UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
| ClientIP | principal.ip and principal.port |
| Workload | target.application |
| AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
Para informações de referência sobre mapeamentos de UDM para operações compatíveis, consulte as seguintes seções:
Acessado pelo arquivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Fileaccessed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileAccessedExtended" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Arquivo excluído
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeleted" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Arquivo copiado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCopy" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Arquivo modificado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileModified" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
Download de arquivo concluído
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDownloads" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| UserSessionId | network.http.session_id |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ZipFileName | principal.resource.parent |
Arquivo modificado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileModifiedExtended" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
Arquivo movido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileMove" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Visualização do arquivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FilePreviewed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Arquivo renomeado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileRenamed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
Arquivo enviado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileLoaded" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionsAllDeleted
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllDeleted" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
Arquivo verificado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckedIn" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | workload map with intermediary.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckedOut" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | Uniquely Identify resource in site like File or Folder |
| ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | Information about the user's browser. This information is provided by the browser. |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ComplianceSettingChanged
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ComplianceSettingChanged" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| SharingType | target.labels.key/value |
Gravação de bloqueio
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "LockRecord" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Desbloquear registro
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnlockRecord" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
File FirstFirstStageRecycleBin
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeletedFirstStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedSecondsStageRecycleBin
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeletedSecondsStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Exclusão de registro
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RecordDelete" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
SensitivityMismatchDetected
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "DocumentSensitivityMismatchDetected" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
SensitivityMismatchDetected
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "DocumentSensitivityMismatchDetected" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ArquivoCheckOutDescartared
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckOutDescartared" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMenorsReciclados
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllSmallsRecycled" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllRecycled" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionReciclado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionRecycled" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Arquivo restaurado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileRestored" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareDetected
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileMalwareDetected" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| VirusInfo | security_result.threat_name |
| VirusVendor | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
SearchQueryPerformed
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SearchQueryPerformed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventData | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Visualização de página
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PageViewed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pré-busca de página
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PagePrefetched" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSigned
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ClientViewSignaled" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Visualização de página estendida
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PageViewedExtended" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Pasta criada
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pasta excluída
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeleted" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pasta movida
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderMove" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
| DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pasta renomeada
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderRenamed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderModified
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderModified" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pasta copiada
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderCOPY" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path |
| SourceRelativeUrl | src.file.full_path |
| DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Pasta restaurada
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderRestored" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeleteFirstStageRecycleBin
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeletedFirstStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedSegundaStageRecycleBin (Pasta excluída)
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeletedSecondsStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadsFull
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncDownloadsFull" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadsPartial
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncDownloadsPartial" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadFull
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncLoadedFull" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadParcial
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncLoadedPartial" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ManagedSyncClientAllowed
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ManagedSyncClientAllowed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_WRITTEN | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
UnmanagedSyncClientBlock
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnmanagedSyncClientBlock" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
Adicionado agrupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AddedToGroup" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.group.group_display_name |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Adicionado em grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupAdded" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Grupo removido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupRemoved" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebRequestAccessModified
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "WebRequestAccessModified" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebMembersCanShareModified
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "WebMembersCanShareModified" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| version | metadata.product_version |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Nível de permissão modificado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelModified" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
| version | metadata.product_version |
| WebID | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminAdicionado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SiteCollectionAdminAdded" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminRemoved
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SiteCollectionAdminRemoved" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| AssertingApplicationId | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Nível de permissão removido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelRemoved" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Removido do grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RemovedFromGroup" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.group.group_display_name |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
Atualizado em grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupUpdated" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.referral_url |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
ProjetoCheckedOut
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ProjectCheckedOut" e a carga de trabalho "Project":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
Acesso ao projeto
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ProjectAccessed" e a carga de trabalho "Project":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
Compartilhamento de herança corrompido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareInheritanceBroken" e a carga de trabalho "SharePoint":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
LinkToToSecure
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AddedToSecureLink" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| UniqueSharingId | target.labels.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ApplicationDisplayName | target.application |
LinkLink criado pela empresa
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| ApplicationDisplayName | target.application |
LinkLinkUsadodaEmpresa
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkUsed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SecureLinkCreated
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
ConviteCompartilhado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkExcluído
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkDeleted" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
Removido do SecureLink
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RemovedFromSecureLink" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
ConvitePorRevogação
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationRevogar" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUpdated
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkUpdated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUsed (em inglês)
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkUsed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Compartilhamento revogado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareRevogard" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Conjunto de compartilhamento
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareSet" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Nível de permissão adicionado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelAdded" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
CompartilhamentoDeConviteAceito
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareInvitationAccepted" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Added to Group is mapped to target.resource.name |
Compartilhamento de convite bloqueado
Na tabela a seguir, estão listados os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationBloqueado" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | security_result.summary
Reason is mapped to security_result.summary |
AccessRequestCreated
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
Link anônimo criado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkCreated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
AccessRequestUpdated
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestUpdated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| ModifiedProperties | target.labels.key/value |
EmpresaLinkRemovido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkRemoved" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
AccessRequestAprovada
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestApprove" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
Linkanônimo removido
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkRemoved" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| MachineId | target.asset.product_object_id |
Link anônimo atualizado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkUpdated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
Convite atualizado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationUpdated" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_ACCESS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
Link anônimo usado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkUsed" e a carga de trabalho "SharePoint/OneDrive":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar membro ao grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar membro ao grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else map about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add user" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Alterar licença de usuário.
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Alterar licença de usuário" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Mudar a senha do usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Alterar senha do usuário" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Excluir grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Remover participante do grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Remover membro do grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Excluir usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir usuário" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success Action is set to ALLOW security_result.summary is User updated successfully ResultStatus is Failure Action is set to BLOCK security_result.summary is User update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Atualizar usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar usuário" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Atualizar grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description |
Usuário conectado
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UserRegisterIn" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
Falha de login do usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UserLoginFailed" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Atualizar StsRefreshTokenValidFrom
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Update StsRefreshTokenValidFrom Timestamp" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Atualizar dispositivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar dispositivo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Definir configurações de federação no domínio
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Definir configurações de federação no domínio" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Verificar domínio
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Verificar domínio" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Definir informações da empresa
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Definir informações da empresa" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Redefinir senha do usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Reset user password" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Desativar conta
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Desativar conta" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Excluir senha de app do usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Delete application password for user" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Excluir dispositivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir dispositivo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar usuários registrados ao dispositivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar usuários registrados ao dispositivo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar proprietário registrado ao dispositivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar proprietário registrado ao dispositivo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar proprietário ao grupo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar proprietário ao grupo" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar OAuth2PermissionGrant
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add OAuth2PermissionGrant" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar dispositivo
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add device" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Adicionar a atribuição de função do app ao usuário
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar concessão de função de app ao usuário" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Consentimento para a inscrição
A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Consent to application" e a carga de trabalho "AzureActiveDirectory":
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| Tar |