Parser Content

{
Name = microsoft-o365-cef-app-activity-list-filesyncdownloadedpartial
  ParserVersion = v1.0.0
  Conditions = [ """CEF:""", """|OneDrive|""", """|FileSyncDownloadedPartial|""" ]

cef-onedrive-app-activity-1 = {
  Vendor = Microsoft
  Product = Microsoft 365
  TimeFormat = "epoch"
  Fields = [
    """\Wdvc=({host}\S+)""",
    """\Wdvchost=({host}[\w\-.]+)""",
    """\Wact=({operation}.+?)\s+(\w+=|$)""",
    """\Wrt=({time}\d{13})""",
    """\Wduser=({email_address}[^@\s]+@({email_domain}[^\s@]+))""",
    """\Wsuser=({email_address}[^@\s]+@({email_domain}[^\s@]+))""",
    """\Wsuid=({email_address}[^@\s]+@({email_domain}[^\s@]+))""",
    """\Woutcome=({result}.+?)\s+(\w+=|$)""",
    """CEF:([^\|]*\|){2}({app}[^\|]+)""",
  
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pC_microsofto365cefappactivitylistfilesyncdownloadedpartial.md

pC_microsofto365cefappactivitylistfilesyncdownloadedpartial.md

Parser Content

Files

pC_microsofto365cefappactivitylistfilesyncdownloadedpartial.md

Latest commit

History

pC_microsofto365cefappactivitylistfilesyncdownloadedpartial.md

File metadata and controls

Parser Content