O365 - parse email for external users

Office 365/o365/_meta/fields.yml

@@ -513,6 +513,11 @@ office365.user_type.code:
   name: office365.user_type.code
   type: long
 
+office365.user_type.is_external:
+  description: Whether user is external
+  name: office365.user_type.is_external
+  type: boolean
+
 office365.user_type.name:
   description: The translated type of the user that performed the operation
   name: office365.user_type.name

Office 365/o365/ingest/parser.yml

@@ -77,7 +77,7 @@ stages:
           event.action: "{{json_event.message.Operation}}"
           event.code: "{{json_event.message.RecordType | string}}"
           event.reason: "{{json_event.message.ActionName}}"
-          user.name: "{{json_event.message.UserId}}"
+          user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}"
           user.id: "{{json_event.message.UserKey}}"
           organization.id: "{{json_event.message.OrganizationId}}"
           action.id: "{{json_event.message.RecordType}}"
@@ -89,9 +89,12 @@ stages:
         filter: "{{parse_client_ip.result.ip | is_ipaddress}}"
 
       - set:
-          user.email: "{{json_event.message.UserId}}"
+          user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}"
         filter: '{{"@" in json_event.message.UserId}}'
 
+      - set:
+          office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}"
+
       - set:
           source.ip: "{{parse_client_ip_address.result.ip}}"
           source.port: "{{parse_client_ip_address.result.port}}"

Office 365/o365/tests/ad.json

@@ -44,6 +44,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/ad_1.json

@@ -53,6 +53,7 @@
       "result_status": "Success",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/add_member_to_role.json

@@ -57,6 +57,7 @@
       "result_status": "Success",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/automated_investigation_and_response.json

@@ -50,6 +50,7 @@
       "record_type": 64,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/automated_investigation_and_response_1.json

@@ -145,6 +145,7 @@
       "record_type": 64,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json

@@ -95,6 +95,7 @@
       "record_type": 64,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json

@@ -121,6 +121,7 @@
       "record_type": 64,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/automated_investigation_and_response_with_attachment.json

@@ -108,6 +108,7 @@
       "record_type": 64,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/browser_log.json

@@ -29,6 +29,7 @@
       "record_type": 36,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/clientipadress.json

@@ -38,6 +38,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 5,
+        "is_external": false,
         "name": "Application"
       }
     },

Office 365/o365/tests/compliancemanager-scorechange.json

@@ -22,6 +22,7 @@
       "result_status": "Successful",
       "user_type": {
         "code": 2,
+        "is_external": false,
         "name": "Admin"
       }
     },

Office 365/o365/tests/email_reported.json

@@ -39,6 +39,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/exchange_event1.json

@@ -39,6 +39,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/exchange_item_aggregated.json

@@ -30,6 +30,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/exchange_item_group.json

@@ -40,6 +40,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/exchange_item_group_2.json

@@ -93,6 +93,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/exchange_item_update.json

@@ -41,6 +41,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/file_previewed.json

@@ -42,6 +42,7 @@
       "record_type": 6,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/file_size.json

@@ -52,6 +52,7 @@
       "record_type": 6,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/file_sync_download_full.json

@@ -48,6 +48,7 @@
       "record_type": 6,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/file_visited.json

@@ -30,6 +30,7 @@
       "result_status": "TRUE",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/form_log.json

@@ -28,6 +28,7 @@
       },
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/inbox_rule.json

@@ -46,6 +46,7 @@
       "result_status": "True",
       "user_type": {
         "code": 2,
+        "is_external": false,
         "name": "Admin"
       }
     },

Office 365/o365/tests/managed_sync.json

@@ -38,6 +38,7 @@
       "record_type": 4,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/mass_download.json

@@ -39,6 +39,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/mcas_alert.json

@@ -41,6 +41,7 @@
       "result_status": "New",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json

@@ -33,6 +33,7 @@
       "record_type": 47,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json

@@ -114,6 +114,7 @@
       "record_type": 28,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json

@@ -21,6 +21,7 @@
       "record_type": 41,
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/operation_properties_01.json

@@ -61,6 +61,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/operation_properties_02.json

@@ -58,6 +58,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/power_bi.json

@@ -23,6 +23,7 @@
       "record_type": 20,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/remove_member_from_role.json

@@ -57,6 +57,7 @@
       "result_status": "Success",
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/security_compliance_alert.json

@@ -39,6 +39,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_2.json

@@ -65,6 +65,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_3.json

@@ -60,6 +60,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_4.json

@@ -59,6 +59,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_5.json

@@ -39,6 +39,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_7.json

@@ -60,6 +60,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/security_compliance_alert_malicious_url.json

@@ -53,6 +53,7 @@
       "result_status": "Succeeded",
       "user_type": {
         "code": 4,
+        "is_external": false,
         "name": "System"
       }
     },

Office 365/o365/tests/source_log.json

@@ -48,6 +48,7 @@
       "record_type": 14,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/targetusername.json

@@ -58,6 +58,7 @@
       "record_type": 14,
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/teams_message_has_link.json

@@ -50,6 +50,7 @@
       },
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/teams_with_foreign_tenant_users.json

@@ -50,6 +50,7 @@
       },
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },

Office 365/o365/tests/teams_with_foreign_tenant_users_2.json

@@ -44,6 +44,7 @@
       },
       "user_type": {
         "code": 0,
+        "is_external": false,
         "name": "Regular"
       }
     },