diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 02c13a28b..dfa4178de 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -513,6 +513,11 @@ office365.user_type.code: name: office365.user_type.code type: long +office365.user_type.is_external: + description: Whether user is external + name: office365.user_type.is_external + type: boolean + office365.user_type.name: description: The translated type of the user that performed the operation name: office365.user_type.name diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index f0e861645..8568883db 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -77,7 +77,7 @@ stages: event.action: "{{json_event.message.Operation}}" event.code: "{{json_event.message.RecordType | string}}" event.reason: "{{json_event.message.ActionName}}" - user.name: "{{json_event.message.UserId}}" + user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" user.id: "{{json_event.message.UserKey}}" organization.id: "{{json_event.message.OrganizationId}}" action.id: "{{json_event.message.RecordType}}" @@ -89,9 +89,12 @@ stages: filter: "{{parse_client_ip.result.ip | is_ipaddress}}" - set: - user.email: "{{json_event.message.UserId}}" + user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" filter: '{{"@" in json_event.message.UserId}}' + - set: + office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}" + - set: source.ip: "{{parse_client_ip_address.result.ip}}" source.port: "{{parse_client_ip_address.result.port}}" diff --git a/Office 365/o365/tests/ad.json b/Office 365/o365/tests/ad.json index 4cfb5c636..359da7dbc 100644 --- a/Office 365/o365/tests/ad.json +++ b/Office 365/o365/tests/ad.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/ad_1.json b/Office 365/o365/tests/ad_1.json index 2474aeae8..aa501f91a 100644 --- a/Office 365/o365/tests/ad_1.json +++ b/Office 365/o365/tests/ad_1.json @@ -53,6 +53,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/add_member_to_role.json b/Office 365/o365/tests/add_member_to_role.json index 2ea3b7995..15b06db18 100644 --- a/Office 365/o365/tests/add_member_to_role.json +++ b/Office 365/o365/tests/add_member_to_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response.json b/Office 365/o365/tests/automated_investigation_and_response.json index bb5f028e8..3ae14890a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response.json +++ b/Office 365/o365/tests/automated_investigation_and_response.json @@ -50,6 +50,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_1.json b/Office 365/o365/tests/automated_investigation_and_response_1.json index fb46179f0..b79920afb 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_1.json @@ -145,6 +145,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json index 6e6d8fd0f..e40af7314 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json @@ -95,6 +95,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json index a3a57df24..ca940465a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json @@ -121,6 +121,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json index 61b656511..173b1ef9c 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json @@ -108,6 +108,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/browser_log.json b/Office 365/o365/tests/browser_log.json index 611865bee..5bd149008 100644 --- a/Office 365/o365/tests/browser_log.json +++ b/Office 365/o365/tests/browser_log.json @@ -29,6 +29,7 @@ "record_type": 36, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index cc64b69af..661fe2bb6 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -38,6 +38,7 @@ "result_status": "Succeeded", "user_type": { "code": 5, + "is_external": false, "name": "Application" } }, diff --git a/Office 365/o365/tests/compliancemanager-scorechange.json b/Office 365/o365/tests/compliancemanager-scorechange.json index 9e31750bf..cc75e8e2c 100644 --- a/Office 365/o365/tests/compliancemanager-scorechange.json +++ b/Office 365/o365/tests/compliancemanager-scorechange.json @@ -22,6 +22,7 @@ "result_status": "Successful", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/email_reported.json b/Office 365/o365/tests/email_reported.json index e9b064f62..69696b1c5 100644 --- a/Office 365/o365/tests/email_reported.json +++ b/Office 365/o365/tests/email_reported.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/exchange_event1.json b/Office 365/o365/tests/exchange_event1.json index 881c1f21b..334ec01a8 100644 --- a/Office 365/o365/tests/exchange_event1.json +++ b/Office 365/o365/tests/exchange_event1.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index c15d8da5b..dc81df845 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -30,6 +30,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group.json b/Office 365/o365/tests/exchange_item_group.json index 75fe23b37..2a7d13867 100644 --- a/Office 365/o365/tests/exchange_item_group.json +++ b/Office 365/o365/tests/exchange_item_group.json @@ -40,6 +40,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group_2.json b/Office 365/o365/tests/exchange_item_group_2.json index 1af2cd661..cfbc956e6 100644 --- a/Office 365/o365/tests/exchange_item_group_2.json +++ b/Office 365/o365/tests/exchange_item_group_2.json @@ -93,6 +93,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index 30682248f..608d46063 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -41,6 +41,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/external_user.json b/Office 365/o365/tests/external_user.json new file mode 100644 index 000000000..fd3e6c34f --- /dev/null +++ b/Office 365/o365/tests/external_user.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}" + }, + "expected": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}", + "event": { + "action": "FileDownloaded", + "category": [ + "file" + ], + "code": "6", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-29T12:31:12Z", + "action": { + "id": 6, + "name": "FileDownloaded", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://example.com/", + "SourceFileName": "1.zip", + "SourceRelativeUrl": "Documents/IMT MBA", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/IMT MBA", + "extension": "zip", + "name": "1.zip", + "size": 26860827 + }, + "office365": { + "audit": { + "object_id": "https://example.com/1.zip" + }, + "context": { + "client": { + "name": "MeTA" + }, + "correlation": { + "id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + } + }, + "record_type": 6, + "user_type": { + "code": 0, + "is_external": true, + "name": "Regular" + } + }, + "organization": { + "id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/1.zip", + "original": "https://example.com/1.zip", + "path": "/1.zip", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.com", + "id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "name": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "OneDriveMpc-Transform_Zip/1.0", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/file_previewed.json b/Office 365/o365/tests/file_previewed.json index f5cd4e410..d3ce72283 100644 --- a/Office 365/o365/tests/file_previewed.json +++ b/Office 365/o365/tests/file_previewed.json @@ -42,6 +42,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_size.json b/Office 365/o365/tests/file_size.json index ea0339b0b..7c6c0446f 100644 --- a/Office 365/o365/tests/file_size.json +++ b/Office 365/o365/tests/file_size.json @@ -52,6 +52,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_sync_download_full.json b/Office 365/o365/tests/file_sync_download_full.json index 44dd5f6c3..159b72879 100644 --- a/Office 365/o365/tests/file_sync_download_full.json +++ b/Office 365/o365/tests/file_sync_download_full.json @@ -48,6 +48,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_visited.json b/Office 365/o365/tests/file_visited.json index 46855c741..44ee7180b 100644 --- a/Office 365/o365/tests/file_visited.json +++ b/Office 365/o365/tests/file_visited.json @@ -30,6 +30,7 @@ "result_status": "TRUE", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/form_log.json b/Office 365/o365/tests/form_log.json index 7fc38b1d5..affdbd3b0 100644 --- a/Office 365/o365/tests/form_log.json +++ b/Office 365/o365/tests/form_log.json @@ -28,6 +28,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index f3609c050..1c31e54e6 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -46,6 +46,7 @@ "result_status": "True", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/managed_sync.json b/Office 365/o365/tests/managed_sync.json index 4c860c040..9157cdb0a 100644 --- a/Office 365/o365/tests/managed_sync.json +++ b/Office 365/o365/tests/managed_sync.json @@ -38,6 +38,7 @@ "record_type": 4, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/mass_download.json b/Office 365/o365/tests/mass_download.json index c072a45c4..d099f991b 100644 --- a/Office 365/o365/tests/mass_download.json +++ b/Office 365/o365/tests/mass_download.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/mcas_alert.json b/Office 365/o365/tests/mcas_alert.json index 91e13123f..0e7bbd829 100644 --- a/Office 365/o365/tests/mcas_alert.json +++ b/Office 365/o365/tests/mcas_alert.json @@ -41,6 +41,7 @@ "result_status": "New", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json index e1397f623..cf341ed7d 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json index 31948758b..ef016aff1 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json @@ -114,6 +114,7 @@ "record_type": 28, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json index 59fdd35ce..fd5c01c5f 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json @@ -21,6 +21,7 @@ "record_type": 41, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json index 790c6b45f..27d256630 100644 --- a/Office 365/o365/tests/operation_properties_01.json +++ b/Office 365/o365/tests/operation_properties_01.json @@ -61,6 +61,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json index 3c91bcb5d..6d50c87eb 100644 --- a/Office 365/o365/tests/operation_properties_02.json +++ b/Office 365/o365/tests/operation_properties_02.json @@ -58,6 +58,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/power_bi.json b/Office 365/o365/tests/power_bi.json index 04a388971..186958235 100644 --- a/Office 365/o365/tests/power_bi.json +++ b/Office 365/o365/tests/power_bi.json @@ -23,6 +23,7 @@ "record_type": 20, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/remove_member_from_role.json b/Office 365/o365/tests/remove_member_from_role.json index 5feefc067..cd39a1c92 100644 --- a/Office 365/o365/tests/remove_member_from_role.json +++ b/Office 365/o365/tests/remove_member_from_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/security_compliance_alert.json b/Office 365/o365/tests/security_compliance_alert.json index 9988fb1fe..f3d73bb7d 100644 --- a/Office 365/o365/tests/security_compliance_alert.json +++ b/Office 365/o365/tests/security_compliance_alert.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_2.json b/Office 365/o365/tests/security_compliance_alert_2.json index 43cac929e..b52c6c789 100644 --- a/Office 365/o365/tests/security_compliance_alert_2.json +++ b/Office 365/o365/tests/security_compliance_alert_2.json @@ -65,6 +65,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_3.json b/Office 365/o365/tests/security_compliance_alert_3.json index 4a695584b..693cae46a 100644 --- a/Office 365/o365/tests/security_compliance_alert_3.json +++ b/Office 365/o365/tests/security_compliance_alert_3.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_4.json b/Office 365/o365/tests/security_compliance_alert_4.json index a6b83cc30..33fb22e5d 100644 --- a/Office 365/o365/tests/security_compliance_alert_4.json +++ b/Office 365/o365/tests/security_compliance_alert_4.json @@ -59,6 +59,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_5.json b/Office 365/o365/tests/security_compliance_alert_5.json index f0e153b7e..517d9efea 100644 --- a/Office 365/o365/tests/security_compliance_alert_5.json +++ b/Office 365/o365/tests/security_compliance_alert_5.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json index 0775bbdc8..062affbb5 100644 --- a/Office 365/o365/tests/security_compliance_alert_7.json +++ b/Office 365/o365/tests/security_compliance_alert_7.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json index 7bb99fa1d..43e51bb06 100644 --- a/Office 365/o365/tests/security_compliance_alert_malicious_url.json +++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json @@ -53,6 +53,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/source_log.json b/Office 365/o365/tests/source_log.json index 95ecbad6c..488df5065 100644 --- a/Office 365/o365/tests/source_log.json +++ b/Office 365/o365/tests/source_log.json @@ -48,6 +48,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json index ec3137b79..f881d49d9 100644 --- a/Office 365/o365/tests/targetusername.json +++ b/Office 365/o365/tests/targetusername.json @@ -58,6 +58,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_message_has_link.json b/Office 365/o365/tests/teams_message_has_link.json index cbb5caa76..03b584a02 100644 --- a/Office 365/o365/tests/teams_message_has_link.json +++ b/Office 365/o365/tests/teams_message_has_link.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users.json b/Office 365/o365/tests/teams_with_foreign_tenant_users.json index 5b1e6802d..83f3436b7 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json index fed58f479..ecbdcb18f 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json index 727b939ce..34e139dff 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_without_foreign_tenant_users.json b/Office 365/o365/tests/teams_without_foreign_tenant_users.json index e22534f43..82ca31d6c 100644 --- a/Office 365/o365/tests/teams_without_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_without_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/threat_intel.json b/Office 365/o365/tests/threat_intel.json index f2bd901be..3b4c44e60 100644 --- a/Office 365/o365/tests/threat_intel.json +++ b/Office 365/o365/tests/threat_intel.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/update_group.json b/Office 365/o365/tests/update_group.json index 20ba82d4d..7bd2bc5a7 100644 --- a/Office 365/o365/tests/update_group.json +++ b/Office 365/o365/tests/update_group.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user.json b/Office 365/o365/tests/update_user.json index b8b43939e..268397a3f 100644 --- a/Office 365/o365/tests/update_user.json +++ b/Office 365/o365/tests/update_user.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user_empty_source_ip.json b/Office 365/o365/tests/update_user_empty_source_ip.json index cd658f9a4..22759d202 100644 --- a/Office 365/o365/tests/update_user_empty_source_ip.json +++ b/Office 365/o365/tests/update_user_empty_source_ip.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in.json b/Office 365/o365/tests/user_logged_in.json index 1cb5385fb..f982e5996 100644 --- a/Office 365/o365/tests/user_logged_in.json +++ b/Office 365/o365/tests/user_logged_in.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in_2.json b/Office 365/o365/tests/user_logged_in_2.json index 93fab6554..563567dc8 100644 --- a/Office 365/o365/tests/user_logged_in_2.json +++ b/Office 365/o365/tests/user_logged_in_2.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_login_failed.json b/Office 365/o365/tests/user_login_failed.json index 9156612dc..21fc55744 100644 --- a/Office 365/o365/tests/user_login_failed.json +++ b/Office 365/o365/tests/user_login_failed.json @@ -55,6 +55,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } },