Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft 365 Integration audit data #8935

Closed
tandemkid opened this issue Jan 19, 2024 · 5 comments
Closed

Microsoft 365 Integration audit data #8935

tandemkid opened this issue Jan 19, 2024 · 5 comments
Labels
Integration:o365 Microsoft Office 365

Comments

@tandemkid
Copy link

tandemkid commented Jan 19, 2024
edited by chrisberkhout
Loading

I don't know what the functionality is supposed to be for the o365.auidt.Data field; however, the o365 module isn't parsing "o365.audit.data" into separate fields. If this is by design, we request that this information be parsed into separate fields so that rules can highlight the desired fields and that alerts can be created more efficiently.

In this case, we would want the reported email and subject to have their own fields, just like the other data.

Vivek Zaveri [email protected]","sip":"40.107.236.100","srt":"1","trc":"redacted.edu","ms":"[External]RE: Bruce? ",

{
  "_index": ".ds-logs-o365.audit-redacted-2024.01.13-000058",
  "_id": "CvPRc7OFiis8pzH5ryXGvMFjtP8=",
  "_version": 1,
  "_score": 0,
  "_source": {
    "agent": {
      "name": "tcvk-redacted",
      "id": "9200c4e8-b627-4348-9932-b2e408e1a3d1",
      "type": "filebeat",
      "ephemeral_id": "864bd3d0-b3f2-4763-a6ab-9548490b9c34",
      "version": "8.11.3"
    },
    "elastic_agent": {
      "id": "9200c4e8-b627-4348-9932-b2e408e1a3d1",
      "version": "8.11.3",
      "snapshot": false
    },
    "rule": {
      "reference": [
        ""
      ],
      "name": "Email reported by user as malware or phish",
      "ruleset": "User",
      "description": "redacted.edu",
      "id": "b26a5770-0c38-434a-9380-3a3c2c27bbb3",
      "category": "ThreatManagement"
    },
    "message": "New alert",
    "tags": [
      "forwarded",
      "o365-cel"
    ],
    "o365": {
      "audit": {
        "UserKey": "SecurityComplianceAlerts",
        "Source": "Office 365 Security & Compliance",
        "AlertType": "System",
        "RecordType": "40",
        "Version": "1",
        "Status": "Active",
        "ObjectId": "redacted.edu",
        "ResultStatus": "Succeeded",
        "Severity": "Low",
        "Data": "{\"etype\":\"User\",\"eid\":\"redacted.edu\",\"tid\":\"58b3302e-910a-48fb-911e-7ea7fa692bdd\",\"ts\":\"2024-01-15T20:23:55.0000000Z\",\"te\":\"2024-01-15T20:23:55.0000000Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"redacted.edu\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Vivek Zaveri <[email protected]>\",\"sip\":\"40.107.236.100\",\"srt\":\"1\",\"trc\":\"redacted.edu\",\"ms\":\"[External]RE:  Bruce? \",\"sid\":\"8ea3cd1a-8828-4839-95a6-08dc1607e617\",\"aii\":\"dd018177-89be-4f88-40d3-08dc15dde8ac\",\"md\":\"2024-01-15T15:23:21.0000000Z\",\"etps\":\"KesMailId:8897574509479147;FingerprintData:94DBD6DD.8AE6DD0D.4F26DF9.42EAE171.202BD;SubmissionCategory:Email;RescanVerdict:NotSpam;SubmissionSource:Microsoft;SubmissionId:9f1e2b53-33a7-483e-c080-08dc1606e461;OriginalVerdict:NotSpam\",\"lon\":\"UserSubmission\"}",
        "AlertId": "30a06ffa-4f31-3a2b-9400-08dc1608bf03",
        "UserId": "SecurityComplianceAlerts",
        "CreationTime": "2024-01-15T20:25:41",
        "UserType": "4"
      }
    },
    "input": {
      "type": "cel"
    },
    "@timestamp": "2024-01-15T20:25:41.000Z",
    "ecs": {
      "version": "8.11.0"
    },
    "data_stream": {
      "namespace": "redacted",
      "type": "logs",
      "dataset": "o365.audit"
    },
    "organization": {
      "id": "58b3302e-910a-48fb-911e-7ea7fa692bdd"
    },
    "host": {
      "id": "58b3302e-910a-48fb-911e-7ea7fa692bdd"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-01-15T20:29:52Z",
      "code": "SecurityComplianceAlerts",
      "provider": "SecurityComplianceCenter",
      "kind": "alert",
      "action": "AlertEntityGenerated",
      "id": "2e8b43dc-b45b-445b-8067-08dc160824ec",
      "type": [
        "info"
      ],
      "category": [
        "web"
      ],
      "dataset": "o365.audit",
      "outcome": "success"
    },
    "user": {
      "id": "SecurityComplianceAlerts"
    }
  },
  "fields": {
    "rule.id": [
      "b26a5770-0c38-434a-9380-3a3c2c27bbb3"
    ],
    "elastic_agent.version": [
      "8.11.3"
    ],
    "event.category": [
      "web"
    ],
    "o365.audit.Data": [
      "{\"etype\":\"User\",\"eid\":\"redacted.edu\",\"tid\":\"58b3302e-910a-48fb-911e-7ea7fa692bdd\",\"ts\":\"2024-01-15T20:23:55.0000000Z\",\"te\":\"2024-01-15T20:23:55.0000000Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"redacted.edu\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Vivek Zaveri <[email protected]>\",\"sip\":\"40.107.236.100\",\"srt\":\"1\",\"trc\":\"redacted.edu\",\"ms\":\"[External]RE:  Bruce? \",\"sid\":\"8ea3cd1a-8828-4839-95a6-08dc1607e617\",\"aii\":\"dd018177-89be-4f88-40d3-08dc15dde8ac\",\"md\":\"2024-01-15T15:23:21.0000000Z\",\"etps\":\"KesMailId:8897574509479147;FingerprintData:94DBD6DD.8AE6DD0D.4F26DF9.42EAE171.202BD;SubmissionCategory:Email;RescanVerdict:NotSpam;SubmissionSource:Microsoft;SubmissionId:9f1e2b53-33a7-483e-c080-08dc1606e461;OriginalVerdict:NotSpam\",\"lon\":\"UserSubmission\"}"
    ],
    "o365.audit.UserId": [
      "SecurityComplianceAlerts"
    ],
    "rule.reference": [
      ""
    ],
    "o365.audit.Status": [
      "Active"
    ],
    "rule.ruleset": [
      "User"
    ],
    "agent.name": [
      "tcvk-redacted"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "alert"
    ],
    "event.outcome": [
      "success"
    ],
    "rule.name": [
      "Email reported by user as malware or phish"
    ],
    "user.id": [
      "SecurityComplianceAlerts"
    ],
    "input.type": [
      "cel"
    ],
    "rule.description": [
      "redacted.edu"
    ],
    "data_stream.type": [
      "logs"
    ],
    "o365.audit.ObjectId": [
      "redacted.edu"
    ],
    "tags": [
      "forwarded",
      "o365-cel"
    ],
    "o365.audit.Source": [
      "Office 365 Security & Compliance"
    ],
    "event.provider": [
      "SecurityComplianceCenter"
    ],
    "event.code": [
      "SecurityComplianceAlerts"
    ],
    "agent.id": [
      "9200c4e8-b627-4348-9932-b2e408e1a3d1"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "o365.audit.Severity": [
      "Low"
    ],
    "o365.audit.RecordType": [
      "40"
    ],
    "organization.id": [
      "58b3302e-910a-48fb-911e-7ea7fa692bdd"
    ],
    "agent.version": [
      "8.11.3"
    ],
    "o365.audit.CreationTime": [
      "2024-01-15T20:25:41"
    ],
    "o365.audit.UserKey": [
      "SecurityComplianceAlerts"
    ],
    "o365.audit.Version": [
      "1"
    ],
    "agent.type": [
      "filebeat"
    ],
    "o365.audit.AlertType": [
      "System"
    ],
    "event.module": [
      "o365"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.id": [
      "58b3302e-910a-48fb-911e-7ea7fa692bdd"
    ],
    "elastic_agent.id": [
      "9200c4e8-b627-4348-9932-b2e408e1a3d1"
    ],
    "data_stream.namespace": [
      "redacted"
    ],
    "message": [
      "New alert"
    ],
    "o365.audit.UserType": [
      "4"
    ],
    "event.action": [
      "AlertEntityGenerated"
    ],
    "event.ingested": [
      "2024-01-15T20:29:52.000Z"
    ],
    "o365.audit.ResultStatus": [
      "Succeeded"
    ],
    "@timestamp": [
      "2024-01-15T20:25:41.000Z"
    ],
    "o365.audit.AlertId": [
      "30a06ffa-4f31-3a2b-9400-08dc1608bf03"
    ],
    "data_stream.dataset": [
      "o365.audit"
    ],
    "event.type": [
      "info"
    ],
    "agent.ephemeral_id": [
      "864bd3d0-b3f2-4763-a6ab-9548490b9c34"
    ],
    "event.id": [
      "2e8b43dc-b45b-445b-8067-08dc160824ec"
    ],
    "rule.category": [
      "ThreatManagement"
    ],
    "event.dataset": [
      "o365.audit"
    ]
  }
}
@jamiehynds
Copy link

@tandemkid can you confirm which version of the integration you're running? We just release v2.0 last week with improved mappings for the o365.audit.data fields.

@chrisberkhout could you confirm if the recent update covers the sample event above, to parse the email address, subject, etc?

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added the Integration:o365 Microsoft Office 365 label Jan 22, 2024
@tandemkid
Copy link
Author

tandemkid commented Jan 22, 2024 via email

@chrisberkhout
Copy link
Contributor

@tandemkid @jamiehynds Yes, the recent updates cover this.

The known subfields of Data that we identified are indexed as their corresponding types in o365.audit.Data.* (this includes all fields in the example above). The full data object is also available in o365.audit.Data.flattened. The email address in Data.tsd will be copied into related.user.

For more detail on these changes please refer to:

@tandemkid
Copy link
Author

tandemkid commented Jan 22, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:o365 Microsoft Office 365
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chrisberkhout @elasticmachine @jamiehynds @tandemkid