Sharepoint parser or not?

Question

Hello everybody!A client requested to inject "Sharepoint" into their SIEM instance so, as usual, the first thing I have done was to check with the supported log type list. Here I can find, as supporter but not available: "Microsoft SharePoint - SHAREPOINT" (damn).Then I move onto Feed configuration and I learn that SharePoint is part of the Office 365 package, injectable via API, with channel "AUDIT_SHARE_POINT". Fastforward to after all the configuration magic, I was in for a nice surprise: all logs injested were already parsed using the "Office 365" built-in parser of Chronicle.As far as this is nice and beautiful, I have learnt that things rarely are this easy... So: are they really been parsed correclty, or I am just daydreaming? It's just a matter of updating the supported log types list, or am I mistaking something big? What do you think? Thanks very much for your replies everyone!A

manthavish · Accepted Answer

The Office 365 parser can parser Sharepoint audit logs as documented here FOr non audit logs, we have a log type specified but no default parser. Hope this helps.

manthavish · Answer

Many thanks @manthavish!May I ask you also some more insights about this? Since I have no familiarity with this product, how much should I concern myself about not-auditing logs? Would I find relevant security-related info also in those? Thanks again,  Sorry for the delay. I am not familair with use cases using non-audit Sharepoint logs. If there is a use case specific to your setup, then spending time and understanding the fields of interest in the log and mapping them to relevant UDM fields would be the first step before implementing the parser.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded