Skip to content

Commit

Permalink
Merge pull request #1392 from SEKOIA-IO/lv/o365_split_email
Browse files Browse the repository at this point in the history 
O365 - parse email for external users
  • Loading branch information
@squioc
squioc authored Dec 13, 2024
2 parents 346c394 + bd93f92 commit 807b5c0
Show file tree
Hide file tree
Showing 57 changed files with 166 additions and 2 deletions.
5 changes: 5 additions & 0 deletions Office 365/o365/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,11 @@ office365.user_type.code:
name: office365.user_type.code
type: long

office365.user_type.is_external:
description: Whether user is external
name: office365.user_type.is_external
type: boolean

office365.user_type.name:
description: The translated type of the user that performed the operation
name: office365.user_type.name
Expand Down
7 changes: 5 additions & 2 deletions Office 365/o365/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ stages:
event.action: "{{json_event.message.Operation}}"
event.code: "{{json_event.message.RecordType | string}}"
event.reason: "{{json_event.message.ActionName}}"
user.name: "{{json_event.message.UserId}}"
user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}"
user.id: "{{json_event.message.UserKey}}"
organization.id: "{{json_event.message.OrganizationId}}"
action.id: "{{json_event.message.RecordType}}"
Expand All @@ -89,9 +89,12 @@ stages:
filter: "{{parse_client_ip.result.ip | is_ipaddress}}"

- set:
user.email: "{{json_event.message.UserId}}"
user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}"
filter: '{{"@" in json_event.message.UserId}}'

- set:
office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}"

- set:
source.ip: "{{parse_client_ip_address.result.ip}}"
source.port: "{{parse_client_ip_address.result.port}}"
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/ad.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/ad_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
"result_status": "Success",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/add_member_to_role.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@
"result_status": "Success",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/automated_investigation_and_response.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
"record_type": 64,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/automated_investigation_and_response_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@
"record_type": 64,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@
"record_type": 64,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@
"record_type": 64,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/automated_investigation_and_response_with_attachment.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@
"record_type": 64,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/browser_log.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
"record_type": 36,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/clientipadress.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 5,
"is_external": false,
"name": "Application"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/compliancemanager-scorechange.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
"result_status": "Successful",
"user_type": {
"code": 2,
"is_external": false,
"name": "Admin"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/email_reported.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/exchange_event1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/exchange_item_aggregated.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/exchange_item_group.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/exchange_item_group_2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/exchange_item_update.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
102 changes: 102 additions & 0 deletions Office 365/o365/tests/external_user.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
{
"input": {
"message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#[email protected]\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}"
},
"expected": {
"message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#[email protected]\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}",
"event": {
"action": "FileDownloaded",
"category": [
"file"
],
"code": "6",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2024-11-29T12:31:12Z",
"action": {
"id": 6,
"name": "FileDownloaded",
"outcome": "success",
"properties": [
{
"SiteUrl": "https://example.com/",
"SourceFileName": "1.zip",
"SourceRelativeUrl": "Documents/IMT MBA",
"UserAgent": "OneDriveMpc-Transform_Zip/1.0"
}
],
"target": "user"
},
"file": {
"directory": "Documents/IMT MBA",
"extension": "zip",
"name": "1.zip",
"size": 26860827
},
"office365": {
"audit": {
"object_id": "https://example.com/1.zip"
},
"context": {
"client": {
"name": "MeTA"
},
"correlation": {
"id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6"
}
},
"record_type": 6,
"user_type": {
"code": 0,
"is_external": true,
"name": "Regular"
}
},
"organization": {
"id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"[email protected]"
]
},
"service": {
"name": "OneDrive"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"url": {
"domain": "example.com",
"full": "https://example.com/1.zip",
"original": "https://example.com/1.zip",
"path": "/1.zip",
"port": 443,
"registered_domain": "example.com",
"scheme": "https",
"top_level_domain": "com"
},
"user": {
"email": "[email protected]",
"id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK",
"name": "[email protected]"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "OneDriveMpc-Transform_Zip/1.0",
"os": {
"name": "Other"
}
}
}
}
1 change: 1 addition & 0 deletions Office 365/o365/tests/file_previewed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"record_type": 6,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/file_size.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
"record_type": 6,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/file_sync_download_full.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
"record_type": 6,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/file_visited.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
"result_status": "TRUE",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/form_log.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
},
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/inbox_rule.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"result_status": "True",
"user_type": {
"code": 2,
"is_external": false,
"name": "Admin"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/managed_sync.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
"record_type": 4,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/mass_download.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/mcas_alert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"result_status": "New",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"record_type": 47,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@
"record_type": 28,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"record_type": 41,
"user_type": {
"code": 4,
"is_external": false,
"name": "System"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/operation_properties_01.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/operation_properties_02.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@
"result_status": "Succeeded",
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
1 change: 1 addition & 0 deletions Office 365/o365/tests/power_bi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
"record_type": 20,
"user_type": {
"code": 0,
"is_external": false,
"name": "Regular"
}
},
Expand Down
Loading

0 comments on commit 807b5c0

Please sign in to comment.