DDR Supported Events

When DDR (aka streaming) is enabled and events start coming in from the data source there are two types of events:

Informational

Examples would be Read, View, etc.

No actions are taken when these events are detected.

Modification Events:

These are events that alter the file or the file permissions. Examples would include creating a file or user, changing a file name etc.

When these types of events are detected a scan or rescan of the item will occur so that it can be classified.

AWS IAM

Events that Trigger (Re)Scan:

Create Events:

• CreateUser - A new user account is created.

• CreateGroup - A new user group is created.

• CreateRole - A new role is created with specific permissions.

Update Events:

• UpdateUser - Modifications are made to an existing user.

• UpdateGroup - Changes are made to a group, such as adding or removing members.

• UpdateRole - A role is updated with new permissions or settings.

• AttachUserPolicy - A policy is attached to a user, modifying access rights.

• DetachUserPolicy - A policy is removed from a user, altering permissions.

• PutUserPolicy - A new policy is assigned to a user.

• AttachGroupPolicy - A policy is attached to a group, affecting all its members.

• DetachGroupPolicy - A policy is removed from a group.

• PutGroupPolicy - A policy is assigned to a group.

• AttachRolePolicy - A policy is attached to a role, modifying access rights.

• DetachRolePolicy - A policy is removed from a role.

• PutRolePolicy - A new policy is assigned to a role.

• ChangePassword - A user changes their password.

• AddUserToGroup - A user is added to a group, changing their access permissions.

• RemoveUserFromGroup - A user is removed from a group.

Delete Events:

• DeleteUser - A user account is deleted.

• DeleteGroup - A group is deleted along with its associated permissions.

• DeleteRole - A role is deleted from IAM.

Other Processed Events:

Informational Events:

• ConsoleLogin - A user logs in through the AWS console.

• SignInFailure - A login attempt fails.

• SignInSuccess - A login attempt is successful.

• FederatedLogin - A user logs in via federated authentication.

• SessionStart - A session begins.

• SessionEnd - A session ends.

• GenerateCredentialReport - A report on credentials is generated.

• GetCredentialReport - A credential report is retrieved.

• ListAccessKeys - Access keys for a user are listed.

• ListUserTags - Tags associated with a user are retrieved.

• ListUsers - Users within an AWS account are listed.

• ListGroups - Groups within an AWS account are listed.

• ListRoles - Roles within an AWS account are listed.

• GetUser - Information about a specific user is retrieved.

• GetGroup - Information about a specific group is retrieved.

• GetRole - Information about a specific role is retrieved.

List of Processed AWS S3 Events

Events that Trigger (Re)Scan:

Create Events:

• s3:ObjectCreated: - A new object is uploaded to an S3 bucket.

• s3:ObjectCreated:Post – A new object is uploaded to an S3 bucket by an HTTP POST operation.

• s3:ObjectCreated:CompleteMultipartUpload – An object was created after a multipart upload operation.

• s3:ObjectCreated:Copy – A new object is created by an S3 copy operation.

• s3:ObjectRestore:Completed – An archived object has been fully restored and is now available.

Update Events:

• s3:ObjectRestore:Post – A restore request for an archived object is initiated.

• s3:ObjectRestore:Delete – A restore request for an archived object is deleted.

• s3:ObjectAcl:Put – Access control settings for an object are updated.

• s3:ObjectTagging:Put – Tags for an object are added or modified.

• s3:ObjectTagging:Delete – Tags for an object are removed.

Delete Events:

• s3:ObjectRemoved:Delete – An object is deleted from an S3 bucket.

• s3:ObjectRemoved:DeleteMarkerCreated – A delete marker is created for an object, marking it as deleted.

• s3:LifecycleExpiration:Delete – An object is removed due to lifecycle rules.

• s3:LifecycleExpiration:DeleteMarkerCreated – A delete marker is created due to lifecycle rules.

Other Processed Events:

Informational Events:

• s3:ReducedRedundancyLostObject - An object stored in Reduced Redundancy Storage is lost.

• s3:LifecycleTransition – An object is transitioned to a different storage class based on lifecycle rules.

• s3:Replication:OperationFailedReplication – The replication operation for an object failed.

• s3:Replication:OperationNotTracked – The replication operation for an object is not tracked.

• s3:Replication:OperationMissedThreshold – The replication operation did not meet its threshold requirements.

• s3:Replication:OperationReplicatedAfterThreshold – The replication operation succeeded after surpassing the threshold.

• s3:IntelligentTiering – An object is moved between storage tiers.

Azure Blob

Events that Trigger (Re)Scan:

Create Events:

• Microsoft.Storage.BlobCreated - A new blob is created or content is updated in a storage container.

• Microsoft.Storage.DirectoryCreated - A new directory is created in a storage container.

Update Events:

• Microsoft.Storage.BlobRenamed - A blob is renamed within a container.

• Microsoft.Storage.DirectoryRenamed - A directory is renamed within a container.

Delete Events:

• Microsoft.Storage.BlobDeleted - A blob is deleted from a storage container.

• Microsoft.Storage.DirectoryDeleted - A directory is deleted from a storage container.

Other Processed Events:

• Microsoft.EventGrid.SubscriptionValidationEvent - A subscription validation event.

• Microsoft.Storage.BlobTierChanged - The storage tier of a blob is modified.

• GetBlobServiceProperties - Retrieves properties of the Blob service.

• GetContainerProperties - Retrieves properties of a storage container.

• GetContainerServiceMetadata - Retrieves metadata for a storage container.

• ListContainers - Lists storage containers in an account.

• BlobPreflightRequest - A request to verify blob upload conditions.

• ListBlobs - Lists blobs in a container.

• GetBlobProperties - Retrieves properties of a blob.

• GetBlobMetadata - Retrieves metadata associated with a blob.

• GetBlockList - Retrieves the list of blocks in a blob.

• GetContainerACL - Retrieves the access control list of a container.

• GetContainerMetadata - Retrieves metadata for a container.

• CopyBlob - Copies a blob from one location to another.

• CopyBlobSource - Identifies the source blob for a copy operation.

• CopyBlobDestination - Identifies the destination blob for a copy operation.

• DeleteBlob - Deletes a blob from a container.

• DeleteBlobSnapshot - Deletes a snapshot of a blob.

• DeleteContainer - Deletes a storage container.

• PutBlob - Uploads a new blob to a container.

• PutBlock - Uploads a block for a blob.

• PutBlockList - Commits a set of uploaded blocks as a blob.

• CreateBlobSnapshot - Creates a snapshot of an existing blob.

• CreateBlockBlob - Creates a new block blob.

• CreateContainer - Creates a new storage container.

• SetBlobMetadata - Updates metadata for a blob.

• SetBlobProperties - Updates properties of a blob.

• SetContainerMetadata - Updates metadata for a storage container.

• SetContainerACL - Modifies the access control list of a container.

• AcquireBlobLease - Acquires a lease on a blob.

• ReleaseBlobLease - Releases a lease on a blob.

• RenewBlobLease - Renews a lease on a blob.

• BreakBlobLease - Breaks an active lease on a blob.

• AcquireContainerLease - Acquires a lease on a container.

• BreakContainerLease - Breaks an active lease on a container.

• ChangeBlobLease - Changes an active lease on a blob.

• ChangeContainerLease - Changes an active lease on a container.

• RenewContainerLease - Renews a lease on a container.

• UndeleteBlob - Restores a deleted blob.

List of Processed Azure Files Events

Events that Trigger (Re)Scan:

Create Events:

• CreateFile - A new file is created in an Azure Files share.

• CreateDirectory - A new directory is created in an Azure Files share.

• CopyFile - A file is copied to a new location.

Update Events:

• SetFileProperties - The properties of a file are updated.

• SetFileMetadata - Metadata of a file is updated.

Delete Events:

• DeleteFile - A file is deleted from an Azure Files share.

• DeleteDirectory - A directory is deleted from an Azure Files share.

Other Processed Events:

• ListShares - Lists file shares in an account.

• GetShareProperties - Retrieves properties of a file share.

• GetShareMetadata - Retrieves metadata of a file share.

• GetDirectoryProperties - Retrieves properties of a directory.

• GetFileProperties - Retrieves properties of a file.

• ListDirectoriesAndFiles - Lists directories and files in a share.

• GetFile - Retrieves a file from a share.

• GetFileRangeList - Retrieves the range list of a file.

• GetShareStats - Retrieves statistics for a file share.

• CreateShare - Creates a new file share.

• PutRange - Uploads a range of data to a file.

• SetShareMetadata - Updates metadata for a file share.

• SetShareProperties - Updates properties of a file share.

• SetDirectoryMetadata - Updates metadata of a directory.

• SetDirectoryProperties - Updates properties of a directory.

• ResizeFile - Resizes an existing file.

• SetFileTier - Sets the tier of a file.

• SetShareQuota - Updates the quota of a file share.

• SetShareACL - Updates the access control list of a file share.

• SetDirectoryACL - Updates the access control list of a directory.

• SetFileACL - Updates the access control list of a file.

• DeleteShare - Deletes a file share.

• AcquireShareLease - Acquires a lease on a file share.

• ReleaseShareLease - Releases a lease on a file share.

• RenewShareLease - Renews a lease on a file share.

• BreakShareLease - Breaks an active lease on a file share.

• ChangeShareLease - Changes an active lease on a file share.

• StartCopyFile - Initiates a file copy operation.

• AbortCopyFile - Cancels an ongoing file copy operation.

• CopyFileSource - Specifies the source file in a copy operation.

• CopyFileDestination - Specifies the destination file in a copy operation.

• CreateShareSnapshot - Creates a snapshot of a file share.

• DeleteShareSnapshot - Deletes a snapshot of a file share.

• UndeleteShare - Restores a deleted file share.

• UndeleteFile - Restores a deleted file.

• UndeleteDirectory - Restores a deleted directory.

• RenameFile - Renames a file within a share.

• RenameFileSource - Specifies the source file in a rename operation.

• RenameFileDestination - Specifies the destination file in a rename operation.

• RenameDirectory - Renames a directory within a share.

• RenameDirectorySource - Specifies the source directory in a rename operation.

• RenameDirectoryDestination - Specifies the destination directory in a rename operation.

Box

Events that Trigger (Re)Scan:

Create Events:

• FILE.UPLOADED - A new file is uploaded.

• FOLDER.CREATED - A new folder is created.

• FILE.RESTORED - A previously deleted file is restored.

• FOLDER.RESTORED - A previously deleted folder is restored.

Update Events:

• FILE.MOVED - A file is moved to a new location.

• FILE.RENAMED - A file is renamed.

• FOLDER.RENAMED - A folder is renamed.

• FOLDER.MOVED - A folder is moved to a new location.

• COLLABORATION.CREATED - A collaboration event is created.

• COLLABORATION.REMOVED - A collaboration is removed.

• COLLABORATION.UPDATED - A collaboration is updated.

• SHARED_LINK.CREATED - A shared link is created.

• SHARED_LINK.UPDATED - A shared link is updated.

• SHARED_LINK.DELETED - A shared link is deleted.

Delete Events:

• FILE.TRASHED - A file is moved to the trash.

• FILE.DELETED - A file is permanently deleted.

• FOLDER.TRASHED - A folder is moved to the trash.

• FOLDER.DELETED - A folder is permanently deleted.

Other Processed Events:

• FILE.DOWNLOADED - A file is downloaded.

• FOLDER.DOWNLOADED - A folder is downloaded.

• FILE.COPIED - A file is copied to another location.

• FOLDER.COPIED - A folder is copied to another location.

• FILE.LOCKED - A file is locked for editing.

• FILE.UNLOCKED - A file is unlocked for editing.

• COMMENT.CREATED - A comment is added to a file.

• COMMENT.UPDATED - A comment is updated.

• COMMENT.DELETED - A comment is deleted.

• METADATA_INSTANCE.CREATED - A metadata instance is created.

• METADATA_INSTANCE.UPDATED - A metadata instance is updated.

• METADATA_INSTANCE.DELETED - A metadata instance is deleted.

• TASK_ASSIGNMENT.CREATED - A task is assigned.

• TASK_ASSIGNMENT.UPDATED - A task assignment is updated.

• SIGN_REQUEST.COMPLETED - A signature request is completed.

• SIGN_REQUEST.DECLINED - A signature request is declined.

• SIGN_REQUEST.EXPIRED - A signature request expired.

• SIGN_REQUEST.SIGNER_EMAIL_BOUNCED - A signature request email bounced.

Confluence Cloud

Events that Trigger (Re)Scan:

Create Events:

• page_created - A new page is created in Confluence.

• blogpost_created - A new blog post is created.

• attachment_created - A new attachment is uploaded.

Update Events:

• page_updated - An existing page is modified.

• blogpost_updated - A blog post is updated.

• attachment_updated - An attachment is updated.

Delete Events:

• page_deleted - A page is deleted from Confluence.

• blogpost_deleted - A blog post is deleted.

• attachment_deleted - An attachment is removed.

Other Processed Events:

• All other events are categorized as informational.

Gmail Events

Events that Trigger (Re)Scan:

Create Events:

• MessagesAdded - A new email message is added.

Update Events:

• LabelsAdded - A label is added to an email.

• LabelsRemoved - A label is removed from an email.

Delete Events:

• MessagesDeleted - An email message is deleted.

Google Drive Events

Events that Trigger (Re)Scan:

Create Events:

• create - A new file or folder is created.

• upload - A new file is uploaded.

Update Events:

• edit - A file or folder is modified.

• rename - A file or folder is renamed.

• move - An item is moved to a different location.

Delete Events:

• delete - An item is permanently removed.

• trash - An item is moved to the trash.

Other Processed Events:

• view - A file or folder is viewed.

• download - A file is downloaded.

• preview - A file is previewed.

• print - A file is printed.

• access_item_content - An item’s content is accessed.

• sync - A file or folder is synced.

• request_access - Access to an item is requested.

• approval_requested - An approval request is sent.

• approval_completed - An approval request is completed.

• approval_canceled - An approval request is cancelled.

• approval_comment_added - A comment is added to an approval request.

• approval_due_time_change - The due time for an approval request is changed.

• approval_reviewer_change - The reviewer of an approval request is changed.

• approval_reviewer_responded - A reviewer responds to an approval request.

• deny_access_request - An access request is denied.

• expire_access_request - An access request expires.

• change_owner - The owner of an item is changed.

• change_document_access_scope - The access scope of a document is changed.

• change_document_visibility - The visibility of a document is changed.

• change_acl_editors - The list of editors for a document is modified.

• change_user_access - User access permissions are modified.

• shared_drive_membership_change - Membership in a shared drive is changed.

• shared_drive_settings_change - Shared drive settings are modified.

• apply_security_update - Security updates are applied.

• shared_drive_apply_security_update - A security update is applied to a shared drive.

• shared_drive_remove_security_update - A security update is removed from a shared drive.

• remove_security_update - A security update is removed.

• enable_inherited_permissions - Inherited permissions are enabled.

• disable_inherited_permissions - Inherited permissions are disabled.

Google IAM Events

Events that Trigger (Re)Scan:

Create Events:

• create_group - A new group is created.

• create_user - A new user is created.

Update Events:

• 2sv_disable - Two-step verification is disabled.

• 2sv_enroll - Two-step verification is enrolled.

• password_edit - A user's password is modified.

• recovery_email_edit - A recovery email is changed.

• recovery_phone_edit - A recovery phone number is changed.

• recovery_secret_qa_edit - A recovery question or answer is changed.

• account_disabled_password_leak - A user account is disabled due to a password leak.

• account_disabled_generic - A user account is disabled.

• account_disabled_spamming - A user account is disabled due to spamming.

• account_disabled_spamming_through_relay - A user account is disabled for spamming via relay.

• accept_invitation - A user accepts an invitation.

• add_info_setting - An informational setting is added.

• add_member - A new member is added to a group.

• add_member_role - A role is assigned to a member.

• add_security_setting - A security setting is added.

• add_service_account_permission - A permission is assigned to a service account.

• approve_join_request - A join request is approved.

• ban_member_with_moderation - A member is banned.

• change_info_setting - An informational setting is modified.

• change_security_setting - A security setting is changed.

• change_group_setting - A group setting is modified.

• change_group_name - A group's name is changed.

• change_first_name - A user's first name is changed.

• change_password - A user's password is changed.

• suspend_user - A user is suspended.

• unsuspend_user - A user is unsuspended.

• update_group_settings - A group's settings are updated.

• user_license_assignment - A license is assigned to a user.

• user_license_revoke - A license is revoked from a user.

• add_group_member - A member is added to a group.

• remove_group_member - A member is removed from a group.

• change_user_access - User access permissions are changed.

• change_acl_editors - The list of editors for a document is changed.

Delete Events:

• delete_group - A group is deleted.

• delete_user - A user is deleted.

• archive_user - A user is archived.

• unarchive_user - A user is unarchived.

Other Processed Events:

• login_success - A user successfully logs in.

• login_failure - A login attempt fails.

• login_challenge - A login challenge occurs.

• application_login_failure - An application login fails.

• application_login_success - An application login succeeds.

• alert_center_view - The alert center is accessed.

• request_to_join - A request to join a group is sent.

• request_to_join_via_mail - A request to join a group via email is sent.

• approval_requested - An approval request is made.

• approval_canceled - An approval request is canceled.

• approval_comment_added - A comment is added to an approval request.

• approval_completed - An approval request is completed.

• approval_due_time_change - The due time of an approval request is changed.

• approval_reviewer_change - The reviewer of an approval request is changed.

• approval_reviewer_responded - A reviewer responds to an approval request.

• deny_access_request - An access request is denied.

• expire_access_request - An access request expires.

• shared_drive_membership_change - Membership in a shared drive is changed.

• shared_drive_settings_change - Shared drive settings are changed.

• apply_security_update - A security update is applied.

• remove_security_update - A security update is removed.

• shared_drive_apply_security_update - A security update is applied to a shared drive.

• shared_drive_remove_security_update - A security update is removed from a shared drive.

• suspicious_login - A suspicious login is detected.

• suspicious_login_less_secure_app - A suspicious login from a less secure app is detected.

• suspicious_programmatic_login - A suspicious programmatic login is detected.

• user_signed_out_due_to_suspicious_session_cookie - A user is signed out due to a suspicious session cookie.

OneDrive and SharePoint Online Events

Events that Trigger (Re)Scan:

Create Events:

• FileUploaded - A new file is uploaded.

• FolderCreated - A new folder is created.

• FileRestored - A previously deleted file is restored.

• FolderRestored - A previously deleted folder is restored.

Update Events:

• FileModified - A file is modified.

• FileMoved - A file is moved to a new location.

• FileRenamed - A file is renamed.

• FolderModified - A folder is modified.

• FolderMoved - A folder is moved to a new location.

• FolderRenamed - A folder is renamed.

• FileSensitivityLabelChanged - A file's sensitivity label is modified.

• FileSensitivityLabelApplied - A sensitivity label is applied to a file.

• SharingSet - Sharing permissions are updated.

• UserAddedToGroup - A user is added to a group.

Delete Events:

• FileDeleted - A file is permanently deleted.

• FolderDeleted - A folder is permanently deleted.

• FileRecycled - A file is moved to the recycle bin.

• FolderRecycled - A folder is moved to the recycle bin.

• SiteDeleted - A SharePoint site is deleted.

• GroupRemoved - A group is removed.

Other Processed Events:

• FileAccessed - A file is accessed.

• FileDownloaded - A file is downloaded.

• FilePreviewed - A file is previewed.

• FolderCopied - A folder is copied.

• FileCopied - A file is copied.

• SharedLinkCreated - A shared link is created.

• SharedLinkDisabled - A shared link is disabled.

• SharingInvitationAccepted - A sharing invitation is accepted.

• SharingRevoked - A sharing invitation is revoked.

• AnonymousLinkCreated - An anonymous link is created.

• SecureLinkCreated - A secure link is created.

• SecureLinkUpdated - A secure link is updated.

• SecureLinkDeleted - A secure link is deleted.

• AccessInvitationAccepted - An access invitation is accepted.

• AccessInvitationRevoked - An access invitation is revoked.

• AccessRequestApproved - An access request is approved.

• AccessRequestRejected - An access request is rejected.

• FileCheckOutDiscarded - A file checkout is discarded.

• FileCheckedIn - A file is checked in.

• FileCheckedOut - A file is checked out.

• SharingInheritanceBroken - Sharing inheritance is broken.

• AddedToSecureLink - A user is added to a secure link.

• RemovedFromSecureLink - A user is removed from a secure link.

• SiteCollectionCreated - A new SharePoint site collection is created.