Created
December 8, 2022 05:15
-
-
Save shaeqahmed/545b885c36a8e4d21db46cd6806ab1d8 to your computer and use it in GitHub Desktop.
o365 parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .event.kind = "event" | |
| .event.type = ["info"] | |
| .event.category = ["web"] | |
| .o365.audit = object!(del(.json.o365audit)) | |
| if .o365.audit.CreationTime != null { | |
| creation_time, err = split(string!(.o365.audit.CreationTime), "Z")[0] + "Z" | |
| .ts = to_timestamp!(creation_time) | |
| } | |
| .event.id = del(.o365.audit.Id) | |
| .user.id = to_string(.o365.audit.UserId) ?? null | |
| .event.provider = del(.o365.audit.Workload) | |
| .event.action = del(.o365.audit.Operation) | |
| .organization.id = del(.o365.audit.OrganizationId) | |
| .user_agent.original = .o365.audit.UserAgent | |
| id_to_schema = { | |
| "1": "ExchangeAdmin", | |
| "2": "ExchangeItem", | |
| "3": "ExchangeItemGroup", | |
| "4": "SharePoint", | |
| "6": "SharePointFileOperation", | |
| "7": "OneDrive", | |
| "8": "AzureActiveDirectory", | |
| "9": "AzureActiveDirectoryAccountLogon", | |
| "10": "DataCenterSecurityCmdlet", | |
| "11": "ComplianceDLPSharePoint", | |
| "12": "Sway", | |
| "13": "ComplianceDLPExchange", | |
| "14": "SharePointSharingOperation", | |
| "15": "AzureActiveDirectoryStsLogon", | |
| "16": "SkypeForBusinessPSTNUsage", | |
| "17": "SkypeForBusinessUsersBlocked", | |
| "18": "SecurityComplianceCenterEOPCmdlet", | |
| "19": "ExchangeAggregatedOperation", | |
| "20": "PowerBIAudit", | |
| "21": "CRM", | |
| "22": "Yammer", | |
| "23": "SkypeForBusinessCmdlets", | |
| "24": "Discovery", | |
| "25": "MicrosoftTeams", | |
| "28": "ThreatIntelligence", | |
| "29": "MailSubmission", | |
| "30": "MicrosoftFlow", | |
| "31": "AeD", | |
| "32": "MicrosoftStream", | |
| "33": "ComplianceDLPSharePointClassification", | |
| "34": "ThreatFinder", | |
| "35": "Project", | |
| "36": "SharePointListOperation", | |
| "37": "SharePointCommentOperation", | |
| "38": "DataGovernance", | |
| "39": "Kaizala", | |
| "40": "SecurityComplianceAlerts", | |
| "41": "ThreatIntelligenceUrl", | |
| "42": "SecurityComplianceInsights", | |
| "43": "MIPLabel", | |
| "44": "WorkplaceAnalytics", | |
| "45": "PowerAppsApp", | |
| "46": "PowerAppsPlan", | |
| "47": "ThreatIntelligenceAtpContent", | |
| "48": "LabelContentExplorer", | |
| "49": "TeamsHealthcare", | |
| "50": "ExchangeItemAggregated", | |
| "51": "HygieneEvent", | |
| "52": "DataInsightsRestApiAudit", | |
| "53": "InformationBarrierPolicyApplication", | |
| "54": "SharePointListItemOperation", | |
| "55": "SharePointContentTypeOperation", | |
| "56": "SharePointFieldOperation", | |
| "57": "MicrosoftTeamsAdmin", | |
| "58": "HRSignal", | |
| "59": "MicrosoftTeamsDevice", | |
| "60": "MicrosoftTeamsAnalytics", | |
| "61": "InformationWorkerProtection", | |
| "62": "Campaign", | |
| "63": "DLPEndpoint", | |
| "64": "AirInvestigation", | |
| "65": "Quarantine", | |
| "66": "MicrosoftForms", | |
| "67": "ApplicationAudit", | |
| "68": "ComplianceSupervisionExchange", | |
| "69": "CustomerKeyServiceEncryption", | |
| "70": "OfficeNative", | |
| "71": "MipAutoLabelSharePointItem", | |
| "72": "MipAutoLabelSharePointPolicyLocation", | |
| "73": "MicrosoftTeamsShifts", | |
| "75": "MipAutoLabelExchangeItem", | |
| "76": "CortanaBriefing", | |
| "78": "WDATPAlerts", | |
| "82": "SensitivityLabelPolicyMatch", | |
| "83": "SensitivityLabelAction", | |
| "84": "SensitivityLabeledFileAction", | |
| "85": "AttackSim", | |
| "86": "AirManualInvestigation", | |
| "87": "SecurityComplianceRBAC", | |
| "88": "UserTraining", | |
| "89": "AirAdminActionInvestigation", | |
| "90": "MSTIC", | |
| "91": "PhysicalBadgingSignal", | |
| "93": "AipDiscover", | |
| "94": "AipSensitivityLabelAction", | |
| "95": "AipProtectionAction", | |
| "96": "AipFileDeleted", | |
| "97": "AipHeartBeat", | |
| "98": "MCASAlerts", | |
| "99": "OnPremisesFileShareScannerDlp", | |
| "100": "OnPremisesSharePointScannerDlp", | |
| "101": "ExchangeSearch", | |
| "102": "SharePointSearch", | |
| "103": "PrivacyInsights", | |
| "105": "MyAnalyticsSettings", | |
| "106": "SecurityComplianceUserChange", | |
| "107": "ComplianceDLPExchangeClassification", | |
| "109": "MipExactDataMatch", | |
| "113": "MS365DCustomDetection", | |
| "147": "CoreReportingSettings", | |
| "148": "ComplianceConnector", | |
| "174": "DataShareOperation", | |
| "181": "EduDataLakeDownloadOperation", | |
| } | |
| if .o365.audit.RecordType != null { | |
| schema_id = to_string!(.o365.audit.RecordType) | |
| .event.code = get(id_to_schema, [schema_id]) ?? null | |
| } | |
| if .o365.audit.ResultStatus != null { | |
| result_status = downcase!(.o365.audit.ResultStatus) | |
| if ( | |
| "succeeded" == result_status || "success" == result_status || "partiallysucceeded" == result_status || "true" == result_status | |
| ) { | |
| .event.outcome = "success" | |
| } | |
| if ( | |
| "failed" == result_status || "false" == result_status | |
| ) { | |
| .event.outcome = "failure" | |
| } | |
| } | |
| if .event.outcome == null { | |
| .event.outcome = "success" | |
| } | |
| if .o365.audit.Parameters != null { | |
| if is_array(.o365.audit.Parameters) { | |
| params_arr = array!(del(.o365.audit.Parameters)) | |
| .o365.audit.Parameters = {} | |
| for_each(params_arr) -> |_i, r| { | |
| if r.Value != null { | |
| .o365.audit.Parameters = set!(.o365.audit.Parameters, [r.Name], r.Value) | |
| } | |
| } | |
| } else if is_string(.o365.audit.Parameters) { | |
| .o365.audit.RawParameters = del(.o365.audit.Parameters) | |
| } | |
| } | |
| if .o365.audit.ExtendedProperties != null { | |
| if is_array(.o365.audit.ExtendedProperties) { | |
| params_arr = array!(del(.o365.audit.ExtendedProperties)) | |
| .o365.audit.ExtendedProperties = {} | |
| for_each(params_arr) -> |_i, r| { | |
| if r.Value != null { | |
| name = r.Name | |
| .o365.audit.ExtendedProperties = set!(.o365.audit.ExtendedProperties, [name], r.Value) | |
| } | |
| } | |
| } else if is_string(.o365.audit.ExtendedProperties) { | |
| .o365.audit.RawExtendedProperties = del(.o365.audit.ExtendedProperties) | |
| } | |
| } | |
| if .o365.audit.ModifiedProperties != null { | |
| if is_array(.o365.audit.ModifiedProperties) { | |
| params_arr = array!(del(.o365.audit.ModifiedProperties)) | |
| .o365.audit.ModifiedProperties = {} | |
| for_each(params_arr) -> |_i, r| { | |
| if is_object(r) && r.OldValue != null && r.NewValue != null { | |
| name = replace!(r.Name, r'(\.| )', "_") | |
| .o365.audit.ModifiedProperties = set!(.o365.audit.ModifiedProperties, [name, "OldValue"], r.OldValue) | |
| .o365.audit.ModifiedProperties = set!(.o365.audit.ModifiedProperties, [name, "NewValue"], r.NewValue) | |
| } else if is_string(r) { | |
| name = replace!(r, r'(\.| )', "_") | |
| .o365.audit.ModifiedProperties = set!(.o365.audit.ModifiedProperties, [name], {}) | |
| } | |
| } | |
| if is_empty(.o365.audit.ModifiedProperties) { | |
| .o365.audit.ModifiedProperties = null | |
| } | |
| } else if is_string(.o365.audit.ModifiedProperties) { | |
| .o365.audit.RawModifiedProperties = del(.o365.audit.ModifiedProperties) | |
| } | |
| } | |
| if is_array(.o365.audit.AlertLinks) { | |
| .o365.audit.AlertLinks = map_values(array!(.o365.audit.AlertLinks)) -> |v| { | |
| if is_object(v) { | |
| string(v.AlertLinkHref) ?? null | |
| } else { | |
| null | |
| } | |
| } | |
| .o365.audit.AlertLinks = filter(.o365.audit.AlertLinks) -> |_, v| { v != null } | |
| } | |
| if .o365.audit.Severity == "informational" { | |
| .event.severity = "1" | |
| } else if .o365.audit.Severity == "low" { | |
| .event.severity = "2" | |
| } else if .o365.audit.Severity == "medium" { | |
| .event.severity = "3" | |
| } else if .o365.audit.Severity == "high" { | |
| .event.severity = "4" | |
| } | |
| if .event.code == "ExchangeAdmin" { | |
| .organization.name = del(.o365.audit.OrganizationName) | |
| } | |
| client_temp = del(.o365.audit.ClientIPAddress) || del(.o365.audit.ClientIP) || del(.o365.audit.ActorIpAddress) | |
| if .event.code == "ExchangeItem" { | |
| .user.email = del(.o365.audit.MailboxOwnerUPN) | |
| if .user.id == null && .o365.audit.LogonUserSid != null { | |
| .user.id = to_string(.o365.audit.LogonUserSid) ?? null | |
| } | |
| .user.full_name = .o365.audit.LogonUserDisplayName | |
| .organization.name = del(.o365.audit.OrganizationName) || .organization.name | |
| .process.name = .o365.audit.ClientProcessName | |
| } else if .event.code == "AzureActiveDirectory" { | |
| .user.target.id = .o365.audit.ObjectId | |
| if .event.action == "Add user." { | |
| .event.action = "added-user-account" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "user") | |
| .event.type = push(.event.type, "creation") | |
| } else if .event.action == "Update user." { | |
| .event.action = "modified-user-account" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "user") | |
| .event.type = push(.event.type, "change") | |
| } else if .event.action == "Delete user." { | |
| .event.action = "deleted-user-account" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "user") | |
| .event.type = push(.event.type, "deletion") | |
| } | |
| } else if .event.code == "AzureActiveDirectoryStsLogon" { | |
| .event.category = push(.event.category, "authentication") | |
| .event.type = push(.event.type, "start") | |
| .event.type = push(.event.type, "access") | |
| } else if .event.code == "SharePointFileOperation" { | |
| .url.original = del(.o365.audit.ObjectId) | |
| .file.directory = del(.o365.audit.SourceRelativeUrl) | |
| .file.name = del(.o365.audit.SourceFileName) | |
| .file.extension = del(.o365.audit.SourceFileExtension) | |
| } | |
| if .event.action != null && ("FileAccessed" == .event.action || "FileDeleted" == .event.action || "FileDownloaded" == .event.action || "FileModified" == .event.action || "FileMoved" == .event.action || "FileRenamed" == .event.action || "FileRestored" == .event.action || "FileUploaded" == .event.action || "FolderCopied" == .event.action || "FolderCreated" == .event.action || "FolderDeleted" == .event.action || "FolderModified" == .event.action || "FolderMoved" == .event.action || "FolderRenamed" == .event.action || "FolderRestored" == .event.action) { | |
| .event.category = push(.event.category, "file") | |
| } | |
| if .event.action == "ComplianceSettingChanged" { | |
| .event.category = push(.event.category, "configuration") | |
| } | |
| if "FileAccessed" == .event.action || "FileDownloaded" == .event.action { | |
| .event.type = push(.event.type, "access") | |
| } | |
| if ( | |
| "ComplianceSettingChanged" == .event.action || "FileModified" == .event.action || "FileMoved" == .event.action || "FileRenamed" == .event.action || "FileRestored" == .event.action || "FolderModified" == .event.action || "FolderMoved" == .event.action || "FolderRenamed" == .event.action || "FolderRestored" == .event.action | |
| ) { | |
| .event.type = push(.event.type, "change") | |
| } | |
| if "FileDeleted" == .event.action || "FolderDeleted" == .event.action { | |
| .event.type = push(.event.type, "deletion") | |
| } | |
| if ( | |
| "FileUploaded" == .event.action || "FolderCopied" == .event.action || "FolderCreated" == .event.action | |
| ) { | |
| .event.type = push(.event.type, "creation") | |
| } | |
| if .event.code == "SecurityComplianceAlerts" { | |
| .message = del(.o365.audit.Comments) | |
| .rule.name = del(.o365.audit.Name) | |
| .rule.id = del(.o365.audit.PolicyId) | |
| .rule.category = .o365.audit.Category | |
| .rule.ruleset = del(.o365.audit.EntityType) | |
| .rule.description = .o365.audit.AlertEntityId | |
| .rule.reference = join!(.o365.audit.AlertLinks, ", ") | |
| .event.kind = "alert" | |
| if .o365.audit.Category == "AccessGovernance" { | |
| .event.category = push(.event.category, "authentication") | |
| } else if ( | |
| .o365.audit.Category == "DataGovernance" || .o365.audit.Category == "DataLossPrevention" | |
| ) { | |
| .event.category = push(.event.category, "file") | |
| } else if .o365.audit.Category == "ThreatManagement" { | |
| .event.category = push(.event.category, "malware") | |
| } else { | |
| .event.category = push(.event.category, "authentication") | |
| } | |
| if .user.id == null && .rule.ruleset == "User" { | |
| .user.id = to_string(.o365.audit.AlertEntityId) ?? null | |
| } | |
| if "Recipients" == .rule.ruleset || "Sender" == .rule.ruleset { | |
| .user.email = .o365.audit.AlertEntityId || .user.email | |
| } else if .rule.ruleset == "MalwareFamily" { | |
| .threat.technique.id = [.o365.audit.AlertEntityId] | |
| } | |
| del(.o365.audit.AlertEntityId) | |
| del(.o365.audit.AlertLinks) | |
| del(.o365.audit.Category) | |
| } | |
| if ( | |
| "ComplianceDLPSharePoint" == .event.code || "ComplianceDLPExchange" == .event.code | |
| ) { | |
| .event.kind = "alert" | |
| .event.category = push(.event.category, "file") | |
| .event.type = push(.event.type, "access") | |
| if .user.id == null { | |
| .user.id = del(.o365.audit.SharePointMetaData.From) | |
| } | |
| .file.name = del(.o365.audit.SharePointMetaData.FileName) || .file.name | |
| .url.original = del(.o365.audit.SharePointMetaData.FilePathUrl) || .url.original | |
| .file.inode = del(.o365.audit.SharePointMetaData.UniqueId) || del(.o365.audit.SharePointMetaData.UniqueID) || .file.inode | |
| .file.owner = del(.o365.audit.SharePointMetaData.FileOwner) | |
| .source.user.email = del(.o365.audit.ExchangeMetaData.From) | |
| .message = del(.o365.audit.ExchangeMetaData.Subject) || .message | |
| .rule.id = del(.o365.audit.PolicyId) || .rule.id | |
| .rule.name = del(.o365.audit.PolicyName) || .rule.name | |
| if .o365.audit.SharePointMetaData.LastModifiedTime != null { | |
| last_modified_time, err = split(string!(.o365.audit.SharePointMetaData.LastModifiedTime), "Z")[0] + "Z" | |
| .file.mtime = to_timestamp!(last_modified_time) | |
| } | |
| if .o365.audit.ExchangeMetaData != null { | |
| to_emails = .o365.audit.ExchangeMetaData.To | |
| to_emails = if to_emails == null { [] } else if is_array(to_emails) { to_emails } else { [ to_emails ] } | |
| cc_emails = .o365.audit.ExchangeMetaData.CC | |
| cc_emails = if cc_emails == null { [] } else if is_array(cc_emails) { cc_emails } else { [ cc_emails ] } | |
| bcc_emails = .o365.audit.ExchangeMetaData.BCC | |
| bcc_emails = if bcc_emails == null { [] } else if is_array(bcc_emails) { bcc_emails } else { [ bcc_emails ] } | |
| .destination.user.email = flatten([array!(to_emails), array!(cc_emails), array!(bcc_emails)]) | |
| # TODO(shaeq): ECS should define destination.user.email as array, but it doesnt. | |
| # we should de something about this rather than use , string join's as this will make indicator lookups difficult. | |
| .destination.user.email = join!(.destination.user.email, ", ") | |
| } | |
| if is_string(.o365.audit.ExceptionInfo) { | |
| .o365.audit.ExceptionInfo.Reason = del(.o365.audit.ExceptionInfo) | |
| } | |
| if .o365.audit.PolicyDetails != null { | |
| severity_to_code = { | |
| "informational": 1, | |
| "low": 2, | |
| "medium": 3, | |
| "high": 4, | |
| } | |
| rule_ids = [] | |
| rule_names = [] | |
| allowed = true | |
| max_sev_code = 0 | |
| if is_array(.o365.audit.PolicyDetails) { | |
| for_each(array!(.o365.audit.PolicyDetails)) -> |_i, d| { | |
| rules = array!(d.Rules || []) | |
| for_each(rules) -> |_i, r| { | |
| sev = downcase!(r.Severity) | |
| sev_code = int!(get(severity_to_code, [sev]) ?? 0) | |
| if r.RuleId != null && r.RuleName != null { | |
| rule_ids = push(rule_ids, r.RuleId) | |
| rule_names = push(rule_names, r.RuleName) | |
| } | |
| if sev_code > max_sev_code { | |
| max_sev_code = sev_code | |
| } | |
| if allowed && r.Actions != null { | |
| for_each(array!(r.Actions)) -> |_i, v| { | |
| if v == "BlockAccess" { | |
| allowed = false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| .rule.id = if is_empty(rule_ids) { null } else { join!(rule_ids, ", ") } # TODO(shaeq): fix this respect ECS | |
| .rule.name = if is_empty(rule_names) { null } else { join!(rule_names, ", ") } # TODO(shaeq): fix this respect ECS | |
| if (max_sev_code > -1) { | |
| .event.severity = max_sev_code | |
| } | |
| if allowed { | |
| .event.outcome = "success" | |
| } else if .event.action == "DlpRuleUndo" { | |
| .event.outcome = "success" | |
| } else if .event.action == "DlpInfo" { | |
| .event.outcome = "failure" | |
| } else if .o365.audit.ExceptionInfo != null && !is_empty!(.o365.audit.ExceptionInfo) { | |
| .event.outcome = "success" | |
| } else { | |
| .event.outcome = "failure" | |
| } | |
| } | |
| } | |
| } | |
| if .event.code == "Yammer" { | |
| .user.email = del(.o365.audit.ActorUserId) || .user.email | |
| .user.id = .user.id || to_string(.o365.audit.ActorYammerUserId) ?? null | |
| .file.inode = del(.o365.audit.FileId) || .file.inode | |
| .file.name = del(.o365.audit.FileName) || .file.name | |
| .group.name = del(.o365.audit.GroupName) | |
| .destination.user.email = del(.o365.audit.TargetUserId) | |
| .destination.user.id = del(.o365.audit.TargetYammerUserId) | |
| if ( | |
| "NetworkConfigurationUpdated" == .event.action || "NetworkSecurityConfigurationUpdated" == .event.action || "SoftDeleteSettingsUpdated" == .event.action || "ProcessProfileFields" == .event.action || "SupervisorAdminToggled" == .event.action | |
| ) { | |
| .event.category = push(.event.category, "configuration") | |
| .event.type = push(.event.type, "change") | |
| if "NetworkSecurityConfigurationUpdated" == .event.action { | |
| .event.type = push(.event.type, "admin") | |
| } | |
| } else if ( | |
| "NetworkSecurityConfigurationUpdated" == .event.action || "GroupCreation" == .event.action || "GroupDeletion" == .event.action || "NetworkUserSuspended" == .event.action || "UserSuspension" == .event.action | |
| ) { | |
| .event.category = push(.event.category, "iam") | |
| } else if ( | |
| "FileCreated" == .event.action || "FileDownloaded" == .event.action || "FileShared" == .event.action || "FileUpdateDescription" == .event.action || "FileUpdateName" == .event.action || "FileVisited" == .event.action | |
| ) { | |
| .event.category = push(.event.category, "file") | |
| } | |
| if ( | |
| "FileCreated" == .event.action || "GroupCreation" == .event.action || "FileUpdateName" == .event.action | |
| ) { | |
| .event.type = push(.event.type, "creation") | |
| } else if .event.action == "GroupDeletion" { | |
| .event.type = push(.event.type, "deletion") | |
| } else if ( | |
| "FileDownloaded" == .event.action || "FileShared" == .event.action || "FileUpdateDescription" == .event.action || "FileVisited" == .event.action | |
| ) { | |
| .event.type = push(.event.type, "access") | |
| } | |
| if ( | |
| "GroupCreation" == .event.action || "GroupDeletion" == .event.action | |
| ) { | |
| .event.type = push(.event.type, "group") | |
| } | |
| } | |
| if .event.code == "MicrosoftTeams" { | |
| if .event.action == "TeamCreated" { | |
| .event.action = "added-group-account-to" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "group") | |
| .event.type = push(.event.type, "creation") | |
| } else if .event.action == "MemberAdded" { | |
| .event.action = "added-users-to-group" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "group") | |
| .event.type = push(.event.type, "change") | |
| } else if .event.action == "Delete user." { # TODO(shaeq): Check this | |
| .event.action = "deleted-user-account" | |
| .event.category = push(.event.category, "iam") | |
| .event.type = push(.event.type, "user") | |
| .event.type = push(.event.type, "deletion") | |
| .user.target.id = .o365.audit.ObjectId | |
| } | |
| .group.name = del(.o365.audit.TeamName) || .group.name | |
| if is_array(.o365.audit.Members) { | |
| for_each(array!(.o365.audit.Members)) -> |_i, m| { | |
| if is_object(m) && m.UPN != null && !is_empty(string!(m.UPN)) { | |
| .related.user = push(.related.user, m.UPN) | |
| } | |
| } | |
| } | |
| } | |
| client_temp = replace(client_temp, r'::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', "$1") ?? null | |
| client_port = null | |
| if client_temp != null && !is_empty(string!(client_temp)) { | |
| _grokked = parse_groks!( | |
| client_temp, | |
| [ | |
| "%{IPANDPORTBRACKETS}", | |
| "^%{IP:client.address}$", | |
| "^\\[%{IP:client.address}\\]$", | |
| "%{IPANDPORT}", | |
| "^%{NOTSPACE:client.domain}$", | |
| "%{HOSTNAMEANDPORTBRACKETS}", | |
| "%{HOSTNAMEANDPORT}", | |
| "^\\[%{HOSTNAMEANDIP}\\]$", | |
| "^%{HOSTNAMEANDIP}$", | |
| "%{GREEDYDATA:client.address}", | |
| ], | |
| { | |
| "IPANDPORTBRACKETS": "^\\[%{IP:client.address}\\]:%{POSINT:client_port}", | |
| "IPANDPORT": "^%{IP:client.address}:%{POSINT:client_port}", | |
| "HOSTNAMEANDPORTBRACKETS": "^\\[%{NOTSPACE:client.domain}\\]:%{POSINT:client_port}", | |
| "HOSTNAMEANDPORT": "^%{NOTSPACE:client.domain}:%{POSINT:client_port}", | |
| "NOTCLOSINGPARENS": "[^)]*", | |
| "HOSTNAMEANDIP": "%{NOTSPACE:client.domain} \\(%{NOTCLOSINGPARENS:client.address}\\)", | |
| } | |
| ) | |
| client_port = del(_grokked.client_port) | |
| . = merge(., _grokked, deep: true) | |
| } | |
| if .event.code == "ExchangeAdmin" || .event.code == "ExchangeItem" { | |
| server_temp = del(.o365.audit.OriginatingServer) | |
| server_temp = replace(server_temp, r'\n|\r', "") ?? null | |
| if server_temp != null && !is_empty(string!(server_temp)) { | |
| . |= parse_groks!(server_temp, | |
| [ | |
| "^\\[%{HOSTNAMEANDIP}\\]$", | |
| "%{HOSTNAMEANDIP}", | |
| "%{GREEDYDATA:server.address}", | |
| ], | |
| { | |
| "NOTCLOSINGPARENS": "[^)]*", | |
| "HOSTNAMEANDIP": "%{NOTSPACE:server.domain} \\(%{NOTCLOSINGPARENS:server.address}\\)" | |
| }, | |
| ) | |
| } | |
| } | |
| if .client.address != null { | |
| .network.type = if is_ipv6!(.client.address) { "ipv6" } else if is_ipv4!(.client.address) { "ipv4" } else { null } | |
| if .network.type != null { | |
| .client.ip = .client.address | |
| } | |
| } | |
| if client_port != null { | |
| .client.port = to_int!(client_port) | |
| } | |
| if .server.address != null { | |
| .server.ip = if is_ipv6!(.server.address) || is_ipv4!(.server.address) { .server.address } else { null } | |
| } | |
| .source.ip = .client.ip | |
| .source.port = .client.port | |
| .destination.ip = .server.ip | |
| if .user.id != null && contains(string!(.user.id), "@") { | |
| parts = split!(.user.id, "@") | |
| if length(parts) == 2 { | |
| .user.email = .user.id | |
| .user.name = parts[0] | |
| .user.domain = parts[1] | |
| } | |
| } | |
| if .user.target.id != null && contains(string!(.user.target.id), "@") { | |
| parts = split!(.user.target.id, "@") | |
| if length(parts) == 2 { | |
| .user.target.email = .user.target.id | |
| .user.target.name = parts[0] | |
| .user.target.domain = parts[1] | |
| } | |
| } | |
| if .source.user.id != null && contains(string!(.source.user.id), "@") { | |
| parts = split!(.source.user.id, "@") | |
| if length(parts) == 2 { | |
| .source.user.email = .source.user.id | |
| .source.user.name = parts[0] | |
| .source.user.domain = parts[1] | |
| } | |
| } | |
| if .destination.user.id != null && contains(string!(.destination.user.id), "@") { | |
| parts = split!(.destination.user.id, "@") | |
| if length(parts) == 2 { | |
| .destination.user.email = .destination.user.id | |
| .destination.user.name = parts[0] | |
| .destination.user.domain = parts[1] | |
| } | |
| } | |
| .related.ip = array!(.related.ip) | |
| if .client.ip != null { | |
| .related.ip = push(.related.ip, .client.ip) | |
| } | |
| if .server.ip != null { | |
| .related.ip = push(.related.ip, .server.ip) | |
| } | |
| .related.user = array!(.related.user) | |
| if .user.name != null { | |
| .related.user = push(.related.user, .user.name) | |
| } | |
| if .user.target.name != null { | |
| .related.user = push(.related.user, .user.target.name) | |
| } | |
| if .file.owner != null { | |
| .related.user = push(.related.user, .file.owner) | |
| } | |
| .user_agent.original = .o365.audit.ExtendedProperties.UserAgent || .user_agent.original | |
| .organization.id = downcase(.organization.id) ?? null | |
| .host.id = .organization.id | |
| # TODO(shaeq): enrich organization.id -> host.name / org.name based on a tenant config | |
| .host.name = get(tenants, [.organization.id]) ?? null | |
| .organization.name = .host.name || .organization.name | |
| .host.name = .host.name || .organization.name || .user.domain | |
| .o365.audit.AzureActiveDirectoryEventType = to_string(.o365.audit.AzureActiveDirectoryEventType) ?? null | |
| .o365.audit.RecordType = to_string(.o365.audit.RecordType) ?? null | |
| .o365.audit.UserType = to_string(.o365.audit.UserType) ?? null | |
| .o365.audit.Version = to_string(.o365.audit.Version) ?? null | |
| .o365.audit.InternalLogonType = to_string(.o365.audit.InternalLogonType) ?? null | |
| .o365.audit.LogonType = to_string(.o365.audit.LogonType) ?? null | |
| .o365.audit.ActorYammerUserId = to_string(.o365.audit.ActorYammerUserId) ?? null | |
| .o365.audit.YammerNetworkId = to_string(.o365.audit.YammerNetworkId) ?? null | |
| # .user_agent = parse_user_agent(.user_agent.original) | |
| .source.as.number = del(.source.as.asn) | |
| .source.as.organization.name = del(.source.as.organization_name) | |
| # TODO(auto-stringify object JSONs) | |
| .o365.audit.Parameters = if .o365.audit.Parameters != null { encode_json(.o365.audit.Parameters) } else { null } | |
| .o365.audit.Item = if .o365.audit.Item != null { encode_json(.o365.audit.Item) } else { null } | |
| .o365.audit.ExtendedProperties = if .o365.audit.ExtendedProperties != null { encode_json(.o365.audit.ExtendedProperties) } else { null } | |
| .o365.audit.ModifiedProperties = if .o365.audit.ModifiedProperties != null { encode_json(.o365.audit.ModifiedProperties) } else { null } | |
| .o365.audit.ExchangeMetaData = if .o365.audit.ExchangeMetaData != null { encode_json(.o365.audit.ExchangeMetaData) } else { null } | |
| .o365.audit.ExceptionInfo = if .o365.audit.ExceptionInfo != null { encode_json(.o365.audit.ExceptionInfo) } else { null } | |
| if .o365.audit.PolicyDetails != null { | |
| .o365.audit.PolicyDetails = map_values(array!(.o365.audit.PolicyDetails)) -> |v| { encode_json(v) } | |
| } | |
| .o365.audit.SharePointMetaData = if .o365.audit.SharePointMetaData != null { encode_json(.o365.audit.SharePointMetaData) } else { null } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment