Microsoft SharePoint

The Microsoft SharePoint DSM for IBM® QRadar® collects audit events from the SharePoint database by using JDBC to poll an SQL database for audit events.

Audit events can track changes that are made to sites, files, and content that is managed by Microsoft SharePoint.

Microsoft SharePoint audit events include the following elements:

  • Site name and the source from which the event originated
  • Item ID, item name, and event location
  • User ID associated with the event
  • Event type, time stamp, and event action

Two log source configurations can be used to collect Microsoft SharePoint database events.

  1. Create a database view in your SharePoint database to poll for events with the JDBC protocol. See Creating a database view for Microsoft SharePoint.
  2. Create a JDBC log source and use predefined database queries to collect SharePoint events. This option does not require an administrator to create database view. See JDBC log source parameters for Microsoft Share Point.
Note: The collection of Microsoft Sharepoint events now uses a predefined query, instead of requiring an administrator to create a database view. If you are an administrator, you might want to update existing Microsoft Sharepoint log sources so that they use the Microsoft Sharepoint predefined query.