Merge pull request #1434 from SEKOIA-IO/fix/microsoft_intune_warning

Fix: Microsoft Intune Warning (358)
SEKOIA-IO · Jan 21, 2025 · bb4e6ad · bb4e6ad
2 parents 8c84e8a + 37ef001
commit bb4e6ad
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 14 deletions.
diff --git a/Microsoft/microsoft-intune/ingest/parser.yml b/Microsoft/microsoft-intune/ingest/parser.yml
@@ -9,7 +9,9 @@ pipeline:
       properties:
         input_field: "{{json_event.message.time}}"
         output_field: datetime
+
   - name: set_common_fields
+    filter: "{{json_event.message.category in ['AuditLogs', 'DeviceComplianceOrg', 'Devices', 'OperationalLogs']}}"
 
 stages:
   set_common_fields:
@@ -21,28 +23,28 @@ stages:
           action.target: "user"
           action.type: "{{json_event.message.category}}"
           event.type: ["info"]
+          microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}"
           host.id: "{{json_event.message.properties.DeviceId}}"
-      - set:
-          host.mac: ["{{json_event.message.properties.WifiMacAddress}}"]
-        filter: "{{json_event.message.properties.WifiMacAddress != null}}"
-      - set:
           host.name: "{{json_event.message.properties.DeviceHostName}}"
-      - set:
-          host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}"
-        filter: "{{final.host.name == null}}"
-      - set:
           host.type: "{{json_event.message.properties.Model}}"
-          microsoft.intune.compliant_state: "{{json_event.message.properties.CompliantState}}"
-          network.application: "{{json_event.message.ApplicationName}}"
           host.os.full: "{{json_event.message.properties.OS}}"
           host.os.version: "{{json_event.message.properties.OSVersion}}"
+          network.application: "{{json_event.message.ApplicationName}}"
           service.name: "{{json_event.message.properties.ManagedBy}}"
-      - set:
-          source.ip: "{{json_event.message.actor.ipAddress}}"
-        filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}"
-      - set:
           source.mac: "{{json_event.message.properties.WifiMacAddress}}"
           user.email: "{{json_event.message.properties.UserEmail}}"
           user.id: "{{json_event.message.properties.IntuneAccountId}}"
           user.name: "{{json_event.message.properties.UserName or json_event.message.properties.Actor.UPN}}"
           user.roles: "{{json_event.message.properties.Actor.UserPermissions}}"
+
+      - set:
+          host.mac: ["{{json_event.message.properties.WifiMacAddress}}"]
+        filter: "{{json_event.message.properties.WifiMacAddress != null}}"
+
+      - set:
+          host.name: "{{json_event.message.properties.DeviceName or json_event.message.properties.ManagedDeviceName}}"
+        filter: "{{final.host.name == null}}"
+
+      - set:
+          source.ip: "{{json_event.message.actor.ipAddress}}"
+        filter: "{{json_event.message.actor.ipAddress | is_ipaddress}}"
diff --git a/Microsoft/microsoft-intune/tests/Warning1.json b/Microsoft/microsoft-intune/tests/Warning1.json
@@ -0,0 +1,15 @@
+{
+  "input": {
+    "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}"
+  },
+  "expected": {
+    "message": "{\"time\":\"2025-01-08T13:56:29.0164321Z\",\"resourceId\":\"/TENANTS/XXXXXXX-XXX-XXXXXXX-XXXXX/PROVIDERS/MICROSOFT.AADIAM\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"category\":\"MicrosoftGraphActivityLogs\",\"resultSignature\":\"200\",\"durationMs\":\"305512\",\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"level\":\"Informational\",\"location\":\"Central US\",\"properties\":{\"__UDI_RequiredFields_TenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"__UDI_RequiredFields_UniqueId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"__UDI_RequiredFields_EventTime\":638719413890000000,\"__UDI_RequiredFields_RegionScope\":\"NA\",\"timeGenerated\":\"2025-01-08T13:56:29.0164321Z\",\"location\":\"Central US\",\"requestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"operationId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"clientRequestId\":\"xxxxxxx-xxx-xxxx-xxxx-xxx\",\"apiVersion\":\"beta\",\"requestMethod\":\"GET\",\"responseStatusCode\":200,\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\",\"durationMs\":305512,\"responseSizeBytes\":1398,\"signInActivityId\":\"Xxxxxxxxx\",\"roles\":\"Directory.Read.All EduRoster.Read.All EduRoster.ReadWrite.All Group.ReadWrite.All MultiTenantOrganization.Read.All OnlineMeetings.Read.All Organization.Read.All Policy.Read.All ProfilePhoto.Read.All Sites.ReadWrite.All TeamsActivity.Send TeamsAppInstallation.ReadForChat.All TeamsAppInstallation.ReadForTeam.All TeamsAppInstallation.ReadForUser.All User.Invite.All User.Read.All\",\"appId\":\"appxxxxxxxxxxxxxxxxxxxxx\",\"UserPrincipalObjectID\":\"xxxxxxxxxxxxxxx\",\"scopes\":\"\",\"identityProvider\":\"https://sts.windows.net/XXXXXXX-XXX-XXXXXXX-XXXXX/\",\"clientAuthMethod\":\"2\",\"wids\":\"widsxxxxxxxxxxxxx\",\"C_Idtyp\":\"app\",\"C_Iat\":\"1736317474\",\"ipAddress\":\"1.2.3.4\",\"userAgent\":\"TeamsMiddleTier/1.0a$*+\",\"requestUri\":\"https://graph.microsoft.com/beta/XXXXXXX-XXX-XXXXXXX-XXXXX/settings\",\"atContentP\":\"\",\"atContentH\":\"\",\"servicePrincipalId\":\"xxxxxxxxxxxxxxx\",\"tokenIssuedAt\":\"2025-01-08T06:24:34.0000000Z\"},\"tenantId\":\"XXXXXXX-XXX-XXXXXXX-XXXXX\"}",
+    "sekoiaio": {
+      "intake": {
+        "parsing_warnings": [
+          "No fields extracted from original event"
+        ]
+      }
+    }
+  }
+}