Microsoft Sharepoint¶
About¶
SharePoint is a powerful collaboration platform that lets you share and manage content, knowledge, and applications to empower teamwork. SharePoint Server can be used on-premises or with a Microsoft 365 enterprise subscription to take advantage of all the latest features. Share common resources and applications on sites. Use search to discover information and expertise across your organization. And stay in the know with personalized news in SharePoint home and the SharePoint mobile apps.
Product Details¶
Vendor URL: Sharepoint
Product Type: Audit
Product Tier: Tier III
Integration Method: Syslog
Log Guide: Sharepoint Logs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: SHAREPOINT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Action | metadata.product_event_type |
| Action | security_result.action_details |
| appliesTo | target.url |
| Area | observer.application |
| BasePermissions | target.user.attribute.permissions.name |
| Category | metadata.product_event_type |
| Correlation | metadata.product_deployment_id |
| CorrelationId | metadata.product_deployment_id |
| Description | target.user.attribute.role.description |
| Details.Email | target.user.email_addresses |
| Details.FeatureScope | target.resource.resource_subtype |
| Details.Group | target.group.group_display_name |
| Details.Id | target.resource.id |
| Details.IsSiteAdmin | target.user.attribute.roles.type |
| Details.Name | target.group.group_display_name |
| Details.Title | target.resource.name |
| Details.Url | target.url |
| Details.UserCollectionType | security_result.category_details |
| Details.WebApplication | target.application |
| Details.WebUrl | metadata.url_back_to_product |
| EventID | metadata.product_log_id |
| FarmId | target.asset.asset_id |
| Hostname | observer.hostname |
| Level | security_result.severity_details |
| Message | security_result.summary |
| Name | target.user.attribute.role.name |
| nameid | target.user.windows_sid |
| nii | security_result.detection_fields |
| PreviousAdmin | additional.fields |
| Process | principal.process.file.names |
| Process | principal.process.pid |
| Role ID | target.user.attribute.labels |
| SiteSubscriptionId | additional.fields |
| SourceModuleName | observer.resource.name |
| SourceModuleType | observer.resource.resource_subtype |
| Target | target.resource.name |
| Target | target.administrative_domain |
| Target | target.user.userid |
| Target | target.user.user_display_name |
| Target | target.user.attribute.permissions.name |
| TID | additional.fields |
| upn | target.user.user_display_name |
| Url | metadata.url_back_to_product |
| userId | target.user.userid |
| UserLogin | principal.administrative_domain |
| UserLogin | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Administration.Security.Group.Add | GROUP_CREATION |
| Administration.Security.User.Add | USER_CREATION |
| Administration.Security.User.Remove | USER_DELETION |
| Administration.SiteCollection.Add | RESOURCE_CREATION |
| anvuv | USER_UNCATEGORIZED |
| Feature.Enable, Feature.Disable | SETTING_MODIFICATION |
| Group.Update | GROUP_MODIFICATION |
| Owner.Update, User.Update, User.Role.Update, User.Move | USER_CHANGE_PERMISSIONS |
Log Sample¶
{"EventReceivedTime":"2024-10-17T16:56:57.737546-04:00","SourceModuleName":"Input_Sharepoint_Usage_Logs","SourceModuleType":"im_file","Hostname":"EXAMPLE.org.mhm-services.local","FarmId":"03448617-4892-47aa-a8c2-a12345aabc1234","UserLogin":"org\\johndoe","SiteSubscriptionId":"00000000-0000-0000-0000-000000000000","TimestampUtc":"2024-10-17 20:54:12.028","CorrelationId":"f3e65aa1-6937-705e-77f5-a12345aabc1234","Action":"Administration.Security.User.Role.Update","Target":"i:0#.w|org\\janedoe","Details":"{\"WebUrl\":\"https://cc.teamexample.com/hrs/olrs\",\"Role\":\"\\u003cRoles\\u003e\\u003cRole ID=\"1073741932\" Name=\"Contribute - No Delete\" Description=\"Can view, add and update, approve list items and documents. Can NOT delete Items.\" Order=\"2147483647\" Hidden=\"False\" Type=\"None\" BasePermissions=\"ViewListItems, AddListItems, EditListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, BrowseDirectories, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts\" /\\u003e\\u003c/Roles\\u003e\"}","EventTime":"2024-10-17T16:54:12.028000-04:00"}
Sample Parsing¶
additional.fields["SiteSubscriptionId"] = "00000000-0000-0000-0000-000000000000"
metadata.event_type = "USER_CHANGE_PERMISSIONS"
metadata.log_type = "SHAREPOINT"
metadata.product_deployment_id = "f3e65aa1-6937-705e-77f5-a12345aabc1234"
metadata.product_event_type = "Administration.Security.User.Role.Update"
metadata.product_name = "Sharepoint"
metadata.url_back_to_product = "https://cc.teamexample.com/hrs/olrs"
metadata.vendor_name = "Microsoft"
observer.hostname = "EXAMPLE.org.mhm-services.local"
observer.resource.name = "Input_Sharepoint_Usage_Logs"
observer.resource.resource_subtype = "im_file"
principal.administrative_domain = "org"
principal.user.userid = "johndoe"
security_result.action_details = "Administration.Security.User.Role.Update"
target.administrative_domain = "org"
target.asset.asset_id = "FarmId: 03448617-4892-47aa-a8c2-a12345aabc1234"
target.resource.name = "i:0#.w|org\\janedoe"
target.user.attribute.labels.key = "status"
target.user.attribute.labels.value = "active"
target.user.attribute.permissions.name = "ViewListItems, AddListItems, EditListItems, ApproveItems, OpenItems, ViewVersions, DeleteVersions, ManagePersonalViews, ViewFormPages, Open, ViewPages, BrowseDirectories, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, CreateAlerts"
target.user.attribute.roles.description = "Can view, add and update, approve list items and documents. Can NOT delete Items."
target.user.attribute.roles.name = "Member"
target.user.userid = "janedoe"