{ "algorithms": { "GradientBoostingRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LinearRegression": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LogisticRegression": { "accuracy": 0, "f1_score": 0, "modelId": "", "precision": 0, "recall": 0, "recommended": false }, "RandomForestRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false } }, "description": "Contains file and page activities in SharePoint Online.", "enabled": true, "entity_rules": [], "key": "da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities", "kpis": [ { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "avg", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "1", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": 0.999, "anomaly_detection_training_window": "-7d", "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)`", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": false, "entity_filter_field": "", "entity_split_field": "", "entity_statop": "avg", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "fill_gaps": "null_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": false, "key": "SHKPI-da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities", "kpi_base_search": "", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)` | stats latest(health_score) AS aggregate", "search_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)` | stats latest(health_score) AS aggregate", "search_alert": "", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": null, "search_occurrences": 1.0, "search_time_compare": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)` [| stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time))+ \" latest=\" + tostring(info_max_time) |fields search] | addinfo | eval bucket=if(_time0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))", "search_time_series": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)` | timechart avg(health_score) AS aggregate", "search_time_series_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities)` | timechart avg(health_score) AS aggregate", "search_time_series_entities": "", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "aggregate", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "ServiceHealthScore", "trending_ad": { "sensitivity": 8 }, "type": "service_health", "tz_offset": null, "unit": "", "urgency": 11.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 494.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User or system account accesses a file.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 137.24814814814815, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5, true, true, true)` | eval kpi=\"Accessed file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5, true, true, true)` | eval kpi=\"Accessed file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2b20a544a87f6f87d15f9d5)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 459.3171348314607, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Accessed file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e41841159a49adb19e3368bf", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf, true, true, true)` | eval kpi=\"Changed record status to locked\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf, true, true, true)` | eval kpi=\"Changed record status to locked\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e41841159a49adb19e3368bf)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=LockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Changed record status to locked", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-557270d09713c75d37a9875f", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f, true, true, true)` | eval kpi=\"Changed record status to unlocked\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f, true, true, true)` | eval kpi=\"Changed record status to unlocked\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-557270d09713c75d37a9875f)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=UnlockRecord\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Changed record status to unlocked", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-43549e58cf5a1401607961b1", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1, true, true, true)` | eval kpi=\"Changed retention label for a file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1, true, true, true)` | eval kpi=\"Changed retention label for a file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-43549e58cf5a1401607961b1)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=ComplianceSettingChanged\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Changed retention label for a file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User checks in a document that they checked out from a document library.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-d0f33477ad35c1c79b59ff39", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39, true, true, true)` | eval kpi=\"Checked in file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39, true, true, true)` | eval kpi=\"Checked in file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-d0f33477ad35c1c79b59ff39)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedIn\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Checked in file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-ab5e9832cbac47f7c253444e", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e, true, true, true)` | eval kpi=\"Checked out file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e, true, true, true)` | eval kpi=\"Checked out file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-ab5e9832cbac47f7c253444e)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckedOut\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Checked out file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User copies a document from a site. The copied file can be saved to another folder on the site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-b4c2b6da960bef75687613fd", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd, true, true, true)` | eval kpi=\"Copied file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd, true, true, true)` | eval kpi=\"Copied file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-b4c2b6da960bef75687613fd)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCopied\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Copied file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes a document from a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165, true, true, true)` | eval kpi=\"Deleted file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165, true, true, true)` | eval kpi=\"Deleted file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f4bd12b2070ea7c5f3e0b165)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeleted\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Deleted file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes a file from the recycle bin of a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-4d6210e90b58c650b22ba5b0", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0, true, true, true)` | eval kpi=\"Deleted file from recycle bin\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0, true, true, true)` | eval kpi=\"Deleted file from recycle bin\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4d6210e90b58c650b22ba5b0)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedFirstStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Deleted file from recycle bin", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes a file from the second-stage recycle bin of a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-89f0a2f6500331553dcb1c1c", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c, true, true, true)` | eval kpi=\"Deleted file from second-stage recycle bin\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c, true, true, true)` | eval kpi=\"Deleted file from second-stage recycle bin\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-89f0a2f6500331553dcb1c1c)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDeletedSecondStageRecycleBin\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#FCB64E", "base_severity_color_light": "#FEE6C1", "base_severity_label": "medium", "base_severity_value": 4.0, "gauge_max": 76315, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 76315.525, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.05, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 37390.75 }, { "dynamic_param": 0.95, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": "High", "severity_value": 5.0, "threshold_value": 69377.75 } ] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Deleted file from second-stage recycle bin", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-3157918cc8c8a3a7c4b29715", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715, true, true, true)` | eval kpi=\"Deleted file marked as a record\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715, true, true, true)` | eval kpi=\"Deleted file marked as a record\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-3157918cc8c8a3a7c4b29715)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=RecordDelete\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Deleted file marked as a record", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348, true, true, true)` | eval kpi=\"Detected document sensitivity mismatch\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348, true, true, true)` | eval kpi=\"Detected document sensitivity mismatch\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-93e5c82a9cc9f6eb5fa17348)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=DocumentSensitivityMismatchDetected\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Detected document sensitivity mismatch", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "SharePoint anti-virus engine detects malware in a file.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-54d7e8533ced577c64e0d696", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696, true, true, true)` | eval kpi=\"Detected malware in file\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696, true, true, true)` | eval kpi=\"Detected malware in file\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-54d7e8533ced577c64e0d696)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected\n| table Operation, SiteName, ObjectId, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Detected malware in file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User discards (or undoes) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-4c216386f9949bdfc52da3a5", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5, true, true, true)` | eval kpi=\"Discarded file checkout\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5, true, true, true)` | eval kpi=\"Discarded file checkout\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-4c216386f9949bdfc52da3a5)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileCheckOutDiscarded\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Discarded file checkout", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User downloads a document from a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-716c24018cdbc2c75d13914c", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c, true, true, true)` | eval kpi=\"Downloaded file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c, true, true, true)` | eval kpi=\"Downloaded file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-716c24018cdbc2c75d13914c)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileDownloaded\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Downloaded file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 178.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User or system account modifies the content or the properties of a document on a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-2f8330c87c64cb231c1378b5", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5, true, true, true)` | eval kpi=\"Modified file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5, true, true, true)` | eval kpi=\"Modified file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-2f8330c87c64cb231c1378b5)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileModified\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Modified file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User moves a document from its current location on a site to a new location.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-84608d0b8887c25ebe7495ed", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed, true, true, true)` | eval kpi=\"Moved file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed, true, true, true)` | eval kpi=\"Moved file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-84608d0b8887c25ebe7495ed)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMoved\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Moved file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Number of page views.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6, true, true, true)` | eval kpi=\"Page View Count\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6, true, true, true)` | eval kpi=\"Page View Count\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-e0ef452f15ea5b4c7e3d36b6)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"PageViewed\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Page View Count", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User or system account performs a search in SharePoint.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-bc39434c3750dc5c604a7e2e", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e, true, true, true)` | eval kpi=\"Performed search query\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e, true, true, true)` | eval kpi=\"Performed search query\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-bc39434c3750dc5c604a7e2e)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=SearchQueryPerformed\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Performed search query", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes all minor versions from the version history of a file.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-f2363bccc336e4beb7af39e6", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6, true, true, true)` | eval kpi=\"Recycled all minor versions of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6, true, true, true)` | eval kpi=\"Recycled all minor versions of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-f2363bccc336e4beb7af39e6)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllMinorsRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Recycled all minor versions of file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes all versions from the version history of a file.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-50040c5f796730ab97afb050", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050, true, true, true)` | eval kpi=\"Recycled all versions of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050, true, true, true)` | eval kpi=\"Recycled all versions of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-50040c5f796730ab97afb050)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionsAllRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Recycled all versions of file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User deletes a version from the version history of a file.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-79e7ed3e1010a68dace1d9df", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df, true, true, true)` | eval kpi=\"Recycled version of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df, true, true, true)` | eval kpi=\"Recycled version of file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-79e7ed3e1010a68dace1d9df)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileVersionRecycled\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Recycled version of file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User renames a document on a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0, true, true, true)` | eval kpi=\"Renamed file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0, true, true, true)` | eval kpi=\"Renamed file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9fc21c9fabc52f8e674da8d0)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRenamed\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Renamed file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User restores a document from the recycle bin of a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-6cc280c88be47e323a8b6e41", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41, true, true, true)` | eval kpi=\"Restored file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41, true, true, true)` | eval kpi=\"Restored file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-6cc280c88be47e323a8b6e41)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileRestored\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Restored file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "User uploads a document to a folder on a site.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2, true, true, true)` | eval kpi=\"Uploaded file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2, true, true, true)` | eval kpi=\"Uploaded file\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-9e1d8b5957726a1c30c9b3f2)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileUploaded\n| table Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Uploaded file", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Users that accessed file detected with malware", "enabled": true, "entity_filter_field": "host", "entity_split_field": "UserId", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": "Medium", "severity_value": 4.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-5426acf53e36fadc4c5790b0", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_entity(count, UserId, \"UserId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(UserId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0, true, true, true)` | eval kpi=\"Users that Accessed File Detected with Malware\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_single_value(count, sum, UserId, \"UserId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_entity(count, UserId, \"UserId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(UserId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0, true, true, true)` | eval kpi=\"Users that Accessed File Detected with Malware\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_single_value(count, sum, UserId, \"UserId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_and_compare(count, sum, UserId, \"UserId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_entity_time_series(count, UserId, \"UserId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_entity_time_series(count, UserId, \"UserId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-5426acf53e36fadc4c5790b0)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileMalwareDetected \n| table SiteName, SourceFileName\n| eval sourceFile = SiteName.SourceFileName\n| join sourceFile type=left [| search `m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePointFileOperation Operation=FileAccessed | eval sourceFile = SiteName.SourceFileName]\n| table UserId\n| dedup UserId | `aggregate_raw_into_limited_entity_time_series(count, UserId, \"UserId\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": null, "threshold_field": "UserId", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Users that Accessed File Detected with Malware", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "A user's client (such as website or mobile app) has signaled that the indicated page has been viewed by the user.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "SiteName", "entity_statop": "count", "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-435aec548549e5e27f75c36c", "kpi_base_search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c, true, true, true)` | eval kpi=\"View signaled by client\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c)`", "search_alert": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity(count, Operation, \"SiteName\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(SiteName, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c, true, true, true)` | eval kpi=\"View signaled by client\", urgency=\"0\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_single_value(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_and_compare(count, sum, Operation, \"SiteName\", 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c)`", "search_time_series": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c)`", "search_time_series_aggregate": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_entity_time_series(count, Operation, \"SiteName\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities, da-itsi-cp-m365-435aec548549e5e27f75c36c)`", "search_time_series_entities": "`m365_cp_default_index` sourcetype=\"o365:management:activity\" Workload=SharePoint RecordTypeName=SharePoint Operation=\"ClientViewSignaled\"\n| stats count by Operation, SiteName, _time | `aggregate_raw_into_limited_entity_time_series(count, Operation, \"SiteName\", 15)`", "search_type": "adhoc", "service_title": "M365_SharePoint_Online_File and Page activities", "threshold_eval": "", "threshold_field": "Operation", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "View signaled by client", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 0.0, "use_time_policies": false } ], "service_tags": { "tags": [], "template_tags": [] }, "service_template_id": "", "services_depending_on_me": [ { "kpis_depending_on": [ "SHKPI-da-itsi-cp-m365-m365-sharepoint-online-file-and-page-activities" ], "service_id": "da-itsi-cp-m365-m365-sharepoint-online-performance" } ], "services_depends_on": [], "team_id": "default_itsi_security_group", "title": "M365_SharePoint_Online_File and Page activities", "version": "0.0.33" }