This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Sharepoint parser or not?

Posted on 05-27-2024 07:33 AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everybody!

A client requested to inject "Sharepoint" into their SIEM instance so, as usual, the first thing I have done was to check with the supported log type list. Here I can find, as supporter but not available: "Microsoft SharePoint - SHAREPOINT" (damn).

Then I move onto Feed configuration and I learn that SharePoint is part of the Office 365 package, injectable via API, with channel "AUDIT_SHARE_POINT".

Fastforward to after all the configuration magic, I was in for a nice surprise: all logs injested were already parsed using the "Office 365" built-in parser of Chronicle.

As far as this is nice and beautiful, I have learnt that things rarely are this easy... So: are they really been parsed correclty, or I am just daydreaming? It's just a matter of updating the supported log types list, or am I mistaking something big? 

What do you think?

 

Thanks very much for your replies everyone!

A

 

Solved Solved
0 3 294
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
manthavish
Staff
Reply posted on --/--/---- --:-- AM

The Office 365 parser can parser Sharepoint audit logs as documented here 

FOr non audit logs, we have a log type specified but no default parser. Hope this helps.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
manthavish
Staff
Reply posted on --/--/---- --:-- AM

The Office 365 parser can parser Sharepoint audit logs as documented here 

FOr non audit logs, we have a log type specified but no default parser. Hope this helps.

Jump to Solution

Posted on --/--/---- --:-- AM
Tonio
Bronze 5
Bronze 5
In response to manthavish
Reply posted on --/--/---- --:-- AM

Many thanks @manthavish!

May I ask you also some more insights about this? Since I have no familiarity with this product, how much should I concern myself about not-auditing logs? Would I find relevant security-related info also in those?

 

Thanks again,

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
manthavish
Staff
In response to Tonio
Reply posted on --/--/---- --:-- AM

Sorry for the delay. I am not familair with use cases using non-audit Sharepoint logs. If there is a use case specific to your setup, then spending time and understanding the fields of interest in the log and mapping them to relevant UDM fields would be the first step before implementing the parser.

Jump to Solution
Top Solution Authors
View all