Help CenterIncluded beginning in Portal version 2.0.1.
As an extension of the ThreatLocker Storage Control module, logs from SharePoint can be ingested and displayed in the Unified Audit.
Please Note: Before logs can be ingested by ThreatLocker, auditing must be enabled in the Microsoft Purview portal. For help with turning auditing on, please see Microsoft's instructions: Turn auditing on or off | Microsoft Learn
Setting Up the SharePoint Connector
Please Note: The SharePoint Connector is only available for Organizations with Storage Control enabled.
Navigate to the Integrations page.
Begin typing SharePoint into the search bar to locate the SharePoint Connector.
Once the SharePoint Connector is selected, the Create SharePoint Connector sidebar will slide out from the right.
- Insert the Azure Tenant ID of the Tenant being connected to ThreatLocker into the Tenant ID textbox.
- Select 'Open Consent Window' to open the Microsoft Consent window.
- Click the blue 'Accept' button to accept the requested permissions.
Once consent has been granted, ThreatLocker will pull the SharePoint sites from the connected tenant.
Once a Site is selected from the type-searchable dropdown, the folders located in that Site will be listed.
Adminstrators can select a folder or enter a file path into the text input box.
Click the blue '+' button to add the specified location to the list of monitored SharePoint locations.
The monitored locations will be listed in the grid at the bottom of the side bar.
Once all desired SharePoint file locations have been added to the list to monitor, select the blue 'Save' button.
MultiTenancy
The SharePoint Connector can be configured to monitor multiple tenants.
To add another tenant to the SharePoint Connector, navigate to the Integrations page and select SharePoint Connector to open the SharePoint Connector sidebar.
Select the blue '+' button in the SharePoint Tenants header.
A new SharePoint Tenant ID input box will be populated above the currently connected tenants. Repeat the steps from above to set up the new Tenant.
Viewing Logs
Once SharePoint locations have been added, those logs will be visible in the Unified Audit. Logs will include permits and denies for reads, writes, deletes, and moves for any monitored locations.
At the top of the Update SharePoint Connector, the date/time of the last log ingestion will be displayed as well as the number of logs ingested in the last hour.
Quickly navigate to the Unified Audit to view all logs collected in the last hour by pressing the blue search icon.
Logs can also be viewed by navigating directly to the Unified Audit.
The Hostname consists of the name SharePoint Connector followed by the SharePoint Site name.
Audit Details Sidebar
Clicking on a Unified Audit entry will open a sidebar that will show more detailed information concerning the activity.
Click on 'View Action Log' to show the full log details from SharePoint.
Select the Hostname, to open the Update SharePoint Connector sidebar.
SharePoint has more detailed actions other than Read, Write, Move, and Delete and the exact SharePoint action will be displayed in the 'Notes' section of the expand.
Known Limitation: Microsoft's own documentation states that although most logs are delivered within 30 minutes, in less common circumstances, it can take up to 2 hours for logs to be delivered.
For assistance with the SharePoint Connector or any other ThreatLocker product, please reach out to the Cyber Hero Team.