locked
Decoding the results of Reporting CSP RRS feed

  • Question

  • Hi,

    I am using the Reporting CSP to fetch WIP audit logs i.e. compliance violations. Below is the SyncML I get when queried using the Reporting CSP.

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <SyncML xmlns="SYNCML:SYNCML1.2">
      <SyncHdr>
        <VerDTD>1.2</VerDTD>
        <VerProto>DM/1.2</VerProto>
        <SessionID>C</SessionID>
        <MsgID>2</MsgID>
        <Target>
          <LocURI>https://dhruvesh.agreeyamobility.net/api/v1/oma-dm/rs/syncml</LocURI>
        </Target>
        <Source>
          <LocURI>urn:uuid:CE10BE4B-C289-5900-94FD-30ADE423E7B7</LocURI>
        </Source>
      </SyncHdr>
      <SyncBody>
        <Status>
          <CmdID>1</CmdID>
          <MsgRef>1</MsgRef>
          <CmdRef>0</CmdRef>
          <Cmd>SyncHdr</Cmd>
          <Chal>
            <Meta>
              <Format xmlns="syncml:metinf">b64</Format>
              <Type xmlns="syncml:metinf">syncml:auth-md5</Type>
              <NextNonce xmlns="syncml:metinf">x3sgkvtRqmaRRVYQHqlbkjsHINUTDxbVT4EeScbzlrA=</NextNonce>
            </Meta>
          </Chal>
          <Data>200</Data>
        </Status>
        <Status>
          <CmdID>2</CmdID>
          <MsgRef>1</MsgRef>
          <CmdRef>5</CmdRef>
          <Cmd>Get</Cmd>
          <Data>200</Data>
        </Status>
        <Results>
          <CmdID>3</CmdID>
          <MsgRef>1</MsgRef>
          <CmdRef>5</CmdRef>
          <Item>
            <Source>
              <LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI>
            </Source>
            <Meta>
              <Format xmlns="syncml:metinf">xml</Format>
            </Meta>
            <Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
    &lt;Reporting Version="com.microsoft/2.0/MDM/Reporting"&gt;
      &lt;User UserID="S-1-5-21-2702878673-795188819-444038987-2781" EnterpriseID="mobiliya.com"&gt;
        &lt;Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131273136092941333"&gt;
          &lt;Policy&gt;NULL&lt;/Policy&gt;
          &lt;Justification&gt;&lt;/Justification&gt;
          &lt;Object&gt;Unknown Data&lt;/Object&gt;
          &lt;Action&gt;4&lt;/Action&gt;
          &lt;SourceName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX&lt;/SourceName&gt;
          &lt;DestinationEnterpriseID&gt;&lt;/DestinationEnterpriseID&gt;
          &lt;DestinationName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX&lt;/DestinationName&gt;
          &lt;Application&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX&lt;/Application&gt;
        &lt;/Log&gt;
        &lt;Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131273136381872521"&gt;
          &lt;Policy&gt;NULL&lt;/Policy&gt;
          &lt;Justification&gt;&lt;/Justification&gt;
          &lt;Object&gt;Unknown Data&lt;/Object&gt;
          &lt;Action&gt;4&lt;/Action&gt;
          &lt;SourceName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.ONENOTE\APPX&lt;/SourceName&gt;
          &lt;DestinationEnterpriseID&gt;&lt;/DestinationEnterpriseID&gt;
          &lt;DestinationName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.ONENOTE\APPX&lt;/DestinationName&gt;
          &lt;Application&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.ONENOTE\APPX&lt;/Application&gt;
        &lt;/Log&gt;
        &lt;Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131273136883809772"&gt;
          &lt;Policy&gt;NULL&lt;/Policy&gt;
          &lt;Justification&gt;&lt;/Justification&gt;
          &lt;Object&gt;Unknown Data&lt;/Object&gt;
          &lt;Action&gt;4&lt;/Action&gt;
          &lt;SourceName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.EXCEL\APPX&lt;/SourceName&gt;
          &lt;DestinationEnterpriseID&gt;&lt;/DestinationEnterpriseID&gt;
          &lt;DestinationName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.EXCEL\APPX&lt;/DestinationName&gt;
          &lt;Application&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.EXCEL\APPX&lt;/Application&gt;
        &lt;/Log&gt;
        &lt;Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131273144982094289"&gt;
          &lt;Policy&gt;NULL&lt;/Policy&gt;
          &lt;Justification&gt;&lt;/Justification&gt;
          &lt;Object&gt;Unknown Data&lt;/Object&gt;
          &lt;Action&gt;4&lt;/Action&gt;
          &lt;SourceName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.POWERPOINT\APPX&lt;/SourceName&gt;
          &lt;DestinationEnterpriseID&gt;&lt;/DestinationEnterpriseID&gt;
          &lt;DestinationName&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.POWERPOINT\APPX&lt;/DestinationName&gt;
          &lt;Application&gt;8WEKYB3D8BBWE\MICROSOFT.OFFICE.POWERPOINT\APPX&lt;/Application&gt;
        &lt;/Log&gt;
      &lt;/User&gt;
    &lt;/Reporting&gt;</Data>
          </Item>
        </Results>
        <Final/>
      </SyncBody>
    </SyncML>

    I understand that these violations are created for various use cases, but I was unable to find any Microsoft documentation which provides details on the output recieved and what is the meaning of various fields. Can someone point me in the right direction ?

    Following are the various types of sub-logs I see

    <Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131303395776161119">
        <Policy>Protection removed</Policy>
        <Justification>NULL</Justification>
        <FilePath>C:\Data\Users\Public\Documents\test.txt</FilePath>
    </Log>
    
    ----------------------------------------------
    
    <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131303377706083723">
        <Policy>CopyPaste</Policy>
        <Justification>NULL</Justification>
        <SourceApplicationName>8WEKYB3D8BBWE\MICROSOFT.MICROSOFTEDGE\APPX</SourceApplicationName>
        <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
        <DestinationApplicationName>8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX</DestinationApplicationName>
        <DataInfo>Text</DataInfo>
    </Log>
    
    ----------------------------------------------
    
    <Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131273136092941333">
          <Policy>NULL</Policy>
          <Justification></Justification>
          <Object>Unknown Data</Object>
          <Action>4</Action>
          <SourceName>8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX</SourceName>
          <DestinationEnterpriseID></DestinationEnterpriseID>
          <DestinationName>8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX</DestinationName>
          <Application>8WEKYB3D8BBWE\MICROSOFT.OFFICE.WORD\APPX</Application>
    </Log>

    Is there any documentation which explains the output of the Reporting CSP with details on triggering scenarios and meaning of various child nodes 

    Thanks

    - Dhruvesh


    Monday, February 13, 2017 12:48 PM

Answers