diff --git a/Packs/Office365/ModelingRules/Office365/Office365.xif b/Packs/Office365/ModelingRules/Office365/Office365.xif index 9ddde7693033..b7438a696416 100644 --- a/Packs/Office365/ModelingRules/Office365/Office365.xif +++ b/Packs/Office365/ModelingRules/Office365/Office365.xif @@ -3,264 +3,276 @@ alter RecordType = to_integer(RecordType) | alter xdm.event.id = Id, - xdm.event.type = if(RecordType = 1, "ExchangeAdmin", RecordType = 2, "ExchangeItem", RecordType = 3, "ExchangeItemGroup", RecordType = 4, "SharePoint", RecordType = 6, "SharePointFileOperation", RecordType = 7, "OneDrive", RecordType = 8, "AzureActiveDirectory", RecordType = 9, "AzureActiveDirectoryAccountLogon", RecordType = 10, "DataCenterSecurityCmdlet", RecordType = 11, "ComplianceDLPSharePoint", RecordType = 13, "ComplianceDLPExchange", RecordType = 14, "SharePointSharingOperation", RecordType = 15, "AzureActiveDirectoryStsLogon", RecordType = 16, "SkypeForBusinessPSTNUsage", RecordType = 17, "SkypeForBusinessUsersBlocked", RecordType = 18, "SecurityComplianceCenterEOPCmdlet", RecordType = 19, "ExchangeAggregatedOperation", RecordType = 20, "PowerBIAudit", RecordType = 21, "CRM", RecordType = 22, "Yammer", RecordType = 23, "SkypeForBusinessCmdlets", RecordType = 24, "Discovery", RecordType = 25, "MicrosoftTeams", RecordType = 28, "ThreatIntelligence", RecordType = 29, "MailSubmission", RecordType = 30, "MicrosoftFlow", RecordType = 31, "AeD", RecordType = 32, "MicrosoftStream", RecordType = 33, "ComplianceDLPSharePointClassification", RecordType = 34, "ThreatFinder", RecordType = 35, "Project", RecordType = 36, "SharePointListOperation", RecordType = 37, "SharePointCommentOperation", RecordType = 38, "DataGovernance", RecordType = 39, "Kaizala", RecordType = 40, "SecurityComplianceAlerts", RecordType = 41, "ThreatIntelligenceUrl", RecordType = 42, "SecurityComplianceInsights", RecordType = 43, "MIPLabel", RecordType = 44, "WorkplaceAnalytics", RecordType = 45, "PowerAppsApp", RecordType = 46, "PowerAppsPlan", RecordType = 47, "ThreatIntelligenceAtpContent", RecordType = 48, "LabelContentExplorer", RecordType = 49, "TeamsHealthcare", RecordType = 50, "ExchangeItemAggregated", RecordType = 51, "HygieneEvent", RecordType = 52, "DataInsightsRestApiAudit", RecordType = 53, "InformationBarrierPolicyApplication", RecordType = 54, "SharePointListItemOperation", RecordType = 55, "SharePointContentTypeOperation", RecordType = 56, "SharePointFieldOperation", RecordType = 57, "MicrosoftTeamsAdmin", RecordType = 58, "HRSignal", RecordType = 59, "MicrosoftTeamsDevice", RecordType = 60, "MicrosoftTeamsAnalytics", RecordType = 61, "InformationWorkerProtection", RecordType = 62, "Campaign", RecordType = 63, "DLPEndpoint", RecordType = 64, "AirInvestigation", RecordType = 65, "Quarantine", RecordType = 66, "MicrosoftForms", RecordType = 67, "ApplicationAudit", RecordType = 68, "ComplianceSupervisionExchange", RecordType = 69, "CustomerKeyServiceEncryption", RecordType = 70, "OfficeNative", RecordType = 71, "MipAutoLabelSharePointItem", RecordType = 72, "MipAutoLabelSharePointPolicyLocation", RecordType = 73, "MicrosoftTeamsShifts", RecordType = 75, "MipAutoLabelExchangeItem", RecordType = 76, "CortanaBriefing", RecordType = 78, "WDATPAlerts", RecordType = 82, "SensitivityLabelPolicyMatch", RecordType = 83, "SensitivityLabelAction", RecordType = 84, "SensitivityLabeledFileAction", RecordType = 85, "AttackSim", RecordType = 86, "AirManualInvestigation", RecordType = 87, "SecurityComplianceRBAC", RecordType = 88, "UserTraining", RecordType = 89, "AirAdminActionInvestigation", RecordType = 90, "MSTIC", RecordType = 91, "PhysicalBadgingSignal", RecordType = 93, "AipDiscover", RecordType = 94, "AipSensitivityLabelAction", RecordType = 95, "AipProtectionAction", RecordType = 96, "AipFileDeleted", RecordType = 97, "AipHeartBeat", RecordType = 98, "MCASAlerts", RecordType = 99, "OnPremisesFileShareScannerDlp", RecordType = 100, "OnPremisesSharePointScannerDlp", RecordType = 101, "ExchangeSearch", RecordType = 102, "SharePointSearch", RecordType = 103, "PrivacyInsights", RecordType = 105, "MyAnalyticsSettings", RecordType = 106, "SecurityComplianceUserChange", RecordType = 107, "ComplianceDLPExchangeClassification", RecordType = 109, "MipExactDataMatch", RecordType = 113, "MS365DCustomDetection", RecordType = 147, "CoreReportingSettings", RecordType = 148, "ComplianceConnector", RecordType = 154, "OMEPortal", RecordType = 174, "DataShareOperation", RecordType = 181, "EduDataLakeDownloadOperation", RecordType = 183, "MicrosoftGraphDataConnectOperation", RecordType = 186, "PowerPagesSite", RecordType = 188, "PlannerPlan", RecordType = 189, "PlannerCopyPlan", RecordType = 190, "PlannerTask", RecordType = 191, "PlannerRoster", RecordType = 192, "PlannerPlanList", RecordType = 193, "PlannerTaskList", RecordType = 194, "PlannerTenantSettings", RecordType = 195, "ProjectForThewebProject", RecordType = 196, "ProjectForThewebTask", RecordType = 197, "ProjectForThewebRoadmap", RecordType = 198, "ProjectForThewebRoadmapItem", RecordType = 199, "ProjectForThewebProjectSettings", RecordType = 200, "ProjectForThewebRoadmapSettings", RecordType = 216, "Viva", RecordType = 217, "MicrosoftGraphDataConnectConsent", RecordType = 218, "AttackSimAdmin", RecordType = 230, "TeamsUpdates", RecordType = 231, "PlannerRosterSensitivityLabel", RecordType = 237, "DefenderExpertsforXDRAdmin", RecordType = 251, "VfamCreatePolicy", RecordType = 252, "VfamUpdatePolicy", RecordType = 253, "VfamDeletePolicy", RecordType = 261, "CopilotInteraction", RecordType = 287, "ProjectForThewebAssignedToMeSettings"), - xdm.source.cloud.project_id = OrganizationId, - xdm.observer.unique_identifier = AppAccessContext -> CorrelationId; // An identifier that can be used to correlate a specific user's actions across Microsoft 365 services. - + xdm.event.type = if(RecordType = 1, "ExchangeAdmin", RecordType = 2, "ExchangeItem", RecordType = 3, "ExchangeItemGroup", RecordType = 4, "SharePoint", RecordType = 6, "SharePointFileOperation", RecordType = 7, "OneDrive", RecordType = 8, "AzureActiveDirectory", RecordType = 9, "AzureActiveDirectoryAccountLogon", RecordType = 10, "DataCenterSecurityCmdlet", RecordType = 11, "ComplianceDLPSharePoint", RecordType = 13, "ComplianceDLPExchange", RecordType = 14, "SharePointSharingOperation", RecordType = 15, "AzureActiveDirectoryStsLogon", RecordType = 16, "SkypeForBusinessPSTNUsage", RecordType = 17, "SkypeForBusinessUsersBlocked", RecordType = 18, "SecurityComplianceCenterEOPCmdlet", RecordType = 19, "ExchangeAggregatedOperation", RecordType = 20, "PowerBIAudit", RecordType = 21, "CRM", RecordType = 22, "Yammer", RecordType = 23, "SkypeForBusinessCmdlets", RecordType = 24, "Discovery", RecordType = 25, "MicrosoftTeams", RecordType = 28, "ThreatIntelligence", RecordType = 29, "MailSubmission", RecordType = 30, "MicrosoftFlow", RecordType = 31, "AeD", RecordType = 32, "MicrosoftStream", RecordType = 33, "ComplianceDLPSharePointClassification", RecordType = 34, "ThreatFinder", RecordType = 35, "Project", RecordType = 36, "SharePointListOperation", RecordType = 37, "SharePointCommentOperation", RecordType = 38, "DataGovernance", RecordType = 39, "Kaizala", RecordType = 40, "SecurityComplianceAlerts", RecordType = 41, "ThreatIntelligenceUrl", RecordType = 42, "SecurityComplianceInsights", RecordType = 43, "MIPLabel", RecordType = 44, "WorkplaceAnalytics", RecordType = 45, "PowerAppsApp", RecordType = 46, "PowerAppsPlan", RecordType = 47, "ThreatIntelligenceAtpContent", RecordType = 48, "LabelContentExplorer", RecordType = 49, "TeamsHealthcare", RecordType = 50, "ExchangeItemAggregated", RecordType = 51, "HygieneEvent", RecordType = 52, "DataInsightsRestApiAudit", RecordType = 53, "InformationBarrierPolicyApplication", RecordType = 54, "SharePointListItemOperation", RecordType = 55, "SharePointContentTypeOperation", RecordType = 56, "SharePointFieldOperation", RecordType = 57, "MicrosoftTeamsAdmin", RecordType = 58, "HRSignal", RecordType = 59, "MicrosoftTeamsDevice", RecordType = 60, "MicrosoftTeamsAnalytics", RecordType = 61, "InformationWorkerProtection", RecordType = 62, "Campaign", RecordType = 63, "DLPEndpoint", RecordType = 64, "AirInvestigation", RecordType = 65, "Quarantine", RecordType = 66, "MicrosoftForms", RecordType = 67, "ApplicationAudit", RecordType = 68, "ComplianceSupervisionExchange", RecordType = 69, "CustomerKeyServiceEncryption", RecordType = 70, "OfficeNative", RecordType = 71, "MipAutoLabelSharePointItem", RecordType = 72, "MipAutoLabelSharePointPolicyLocation", RecordType = 73, "MicrosoftTeamsShifts", RecordType = 75, "MipAutoLabelExchangeItem", RecordType = 76, "CortanaBriefing", RecordType = 78, "WDATPAlerts", RecordType = 79, "PowerAppsResource", RecordType = 82, "SensitivityLabelPolicyMatch", RecordType = 83, "SensitivityLabelAction", RecordType = 84, "SensitivityLabeledFileAction", RecordType = 85, "AttackSim", RecordType = 86, "AirManualInvestigation", RecordType = 87, "SecurityComplianceRBAC", RecordType = 88, "UserTraining", RecordType = 89, "AirAdminActionInvestigation", RecordType = 90, "MSTIC", RecordType = 91, "PhysicalBadgingSignal", RecordType = 93, "AipDiscover", RecordType = 94, "AipSensitivityLabelAction", RecordType = 95, "AipProtectionAction", RecordType = 96, "AipFileDeleted", RecordType = 97, "AipHeartBeat", RecordType = 98, "MCASAlerts", RecordType = 99, "OnPremisesFileShareScannerDlp", RecordType = 100, "OnPremisesSharePointScannerDlp", RecordType = 101, "ExchangeSearch", RecordType = 102, "SharePointSearch", RecordType = 103, "PrivacyInsights", RecordType = 105, "MyAnalyticsSettings", RecordType = 106, "SecurityComplianceUserChange", RecordType = 107, "ComplianceDLPExchangeClassification", RecordType = 109, "MipExactDataMatch", RecordType = 113, "MS365DCustomDetection", RecordType = 147, "CoreReportingSettings", RecordType = 148, "ComplianceConnector", RecordType = 154, "OMEPortal", RecordType = 164, "ScorePlatformGenericAuditRecord", RecordType = 174, "DataShareOperation", RecordType = 181, "EduDataLakeDownloadOperation", RecordType = 183, "MicrosoftGraphDataConnectOperation", RecordType = 186, "PowerPagesSite", RecordType = 187, "PowerPlatformAdminDlp", RecordType = 188, "PlannerPlan", RecordType = 189, "PlannerCopyPlan", RecordType = 190, "PlannerTask", RecordType = 191, "PlannerRoster", RecordType = 192, "PlannerPlanList", RecordType = 193, "PlannerTaskList", RecordType = 194, "PlannerTenantSettings", RecordType = 195, "ProjectForThewebProject", RecordType = 196, "ProjectForThewebTask", RecordType = 197, "ProjectForThewebRoadmap", RecordType = 198, "ProjectForThewebRoadmapItem", RecordType = 199, "ProjectForThewebProjectSettings", RecordType = 200, "ProjectForThewebRoadmapSettings", RecordType = 216, "Viva Goals", RecordType = 217, "MicrosoftGraphDataConnectConsent", RecordType = 218, "AttackSimAdmin", RecordType = 230, "TeamsUpdates", RecordType = 231, "PlannerRosterSensitivityLabel", RecordType = 237, "DefenderExpertsforXDRAdmin", RecordType = 251, "VfamCreatePolicy", RecordType = 252, "VfamUpdatePolicy", RecordType = 253, "VfamDeletePolicy", RecordType = 261, "CopilotInteraction", RecordType = 275, "OWAAuth", RecordType = 280, "VivaPulseResponse", RecordType = 281, "VivaPulseOrganizer", RecordType = 282, "VivaPulseAdmin", RecordType = 283, "VivaPulseReport", RecordType = 287, "ProjectForThewebAssignedToMeSettings", RecordType = 288, "CloudPolicyService", RecordType = 298, "BackupPolicy", RecordType = 299, "RestoreTask", RecordType = 300, "RestoreItem", RecordType = 301, "BackupItem", RecordType = 332, "ComplianceSettingsChange", RecordType = 337, "CloudUpdateProfileConfig", RecordType = 338, "CloudUpdateTenantConfig", RecordType = 339, "CloudUpdateDeviceConfig"), + xdm.observer.unique_identifier = AppAccessContext -> CorrelationId, // An identifier that can be used to correlate a specific user's actions across Microsoft 365 services. + xdm.source.cloud.project_id = OrganizationId; [MODEL: dataset="msft_o365_general_raw"] call o365_common_fields | alter EnforcementMode = to_integer(EnforcementMode), - sourceworkload = to_integer(sourceworkload), + SourceWorkload = to_integer(SourceWorkload), Scope = to_integer(Scope), FileSize = to_integer(FileSize) | alter platform_lowercase = lowercase(to_string(Platform)), user_type_string = to_string(UserType), translate_EnforcementMode = if(EnforcementMode = 1, "Audit", EnforcementMode = 2, "Warn (Block with override)", EnforcementMode = 3, "Warn and bypass", EnforcementMode = 4, "Block", EnforcementMode = 5, "Allow (Audit without alerts)"), - src_ip = coalesce(userip, senderip, ClientIP), - filename_name = if(filename ~= "\.", filename, null), - filename_extension = if(filename ~= "\.", arraystring(regextract(filename, "^\S+\.(\S+)"), ""), null), - members_upn = arraystring(arraymap(members -> [], "@element" -> UPN), "|"), - members_displayname = arraystring(arraymap(members -> [], "@element" -> DisplayName), "|"), - members_role = arraystring(arraymap(members -> [], "@element" -> Role), "|"), - sourceworkload_name = if(sourceworkload = 0, "SharePoint Online", sourceworkload = 1, " OneDrive for Business", sourceworkload = 2, "Microsoft Teams"), + src_ip = coalesce(ClientIP, UserIp, SenderIp), + filename_name = if(FileName ~= "\.", FileName, null), + filename_extension = arrayindex(regextract(FileName, "\.([^.]+)$"), 0), // extract trailing suffix after last period + members_upn = arraystring(arraymap(Members -> [], "@element" -> UPN), ","), + members_displayname = arraystring(arraymap(Members -> [], "@element" -> DisplayName), "|"), + members_role = arraystring(arraymap(Members -> [], "@element" -> Role), "|"), Scope_name = if(Scope = 0, "Online", Scope = 1, "Onprem"), - check_objectid_filepath = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "")) + object_id_file_name = arrayindex(regextract(ObjectId, ".+[\\\/]([^\\\/]+)$"), 0), + object_id_file_path = arrayindex(regextract(ObjectId, "(.+)[\\\/][^\\\/]+$"), 0) | alter - src_ip_v4 = if(src_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src_ip, null), - src_ip_v6 = if(src_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", src_ip, null), - objectid_filename = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.\S+$"), ""), null), - objectid_filextension = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.(\S+)$"), ""), null), - objectid_clean = if(ObjectId = null, null, ObjectId ~= "^\s*$", null, ObjectId) + src_ipv4_addresses = arraydistinct(regextract(src_ip, "((?:\d{1,3}\.){3}\d{1,3})")), + src_ipv6_addresses = arraydistinct(regextract(src_ip, "((?:[:]{2}[fF]{4}:(?:\d{1,3}\.){3}\d{1,3})|(?:(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}))")), // ipv6 could also be an IPv4-mapped IPv6 address + src_interface = arrayindex(regextract(src_ip, "%(\d+)"), 0), // extract interface identifier from the client ip address if such exists + src_port = arrayindex(regextract(src_ip, "[^\:]+:(\d{1,5})$"), 0), // extract port from the client ip address if such exists */ + object_id_file_extension = arrayindex(regextract(object_id_file_name, "\.([^.]+)$"), 0) // extract trailing suffix after last period +| alter src_ipv4_public_addresses = arrayfilter(src_ipv4_addresses, not incidr("@element", "10.0.0.0/8") and not incidr("@element", "172.16.0.0/12") and not incidr("@element", "192.168.0.0/16") and not incidr("@element", "127.0.0.0/8") and not incidr("@element", "169.254.0.0/16") and not incidr("@element", "100.64.0.0/10")) | alter - xdm.target.file.path = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", ObjectId, null), - xdm.event.operation_sub_type = coalesce(policyaction, message, Operation), - xdm.event.operation = if(Operation = "AttachmentAccess", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation ~= "FileCreated", XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileAccessed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileAccessedExtended", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FilePreviewed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRenamed", XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation = "FileCheckOutDiscarded", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRestored", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FolderCreated", XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation = "FolderDeleted", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderModified", XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation = "FolderRecycled", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRenamed", XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE), - xdm.alert.original_alert_id = coalesce(InvestigationId, actionid, AlertEntityId, AlertId), - xdm.event.original_event_type = coalesce(detectiontype, EntityType, to_string(RecordType)), - xdm.target.file.filename = coalesce(filename_name, objectid_filename), - xdm.target.file.extension = coalesce(FileExtension, filename_extension, objectid_filextension), - xdm.source.host.os_family = if(platform_lowercase ~= "win|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, platform_lowercase ~= "mac|osx", XDM_CONST.OS_FAMILY_MACOS, platform_lowercase ~= "linux", XDM_CONST.OS_FAMILY_LINUX, platform_lowercase ~= "android", XDM_CONST.OS_FAMILY_ANDROID, platform_lowercase ~= "ios", XDM_CONST.OS_FAMILY_IOS, platform_lowercase ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, platform_lowercase ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, platform_lowercase ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, platform_lowercase ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, platform_lowercase ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, platform_lowercase ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, platform_lowercase ~= "scada", XDM_CONST.OS_FAMILY_SCADA), - xdm.target.resource.name = coalesce(formname, objectid_clean), - xdm.source.host.device_id = EntityId, - xdm.email.sender = p2sender, - xdm.email.recipients = if(arraystring(arraycreate(targetuserid), ", ") != "", arraycreate(targetuserid), arraystring(arraycreate(ReleaseTo), ", ") != "", arraycreate(ReleaseTo), arraymap(recipients -> [], trim("@element", "\""))), - xdm.source.user.username = coalesce(username, members_displayname), - xdm.source.user.upn = coalesce(members_upn, actoruserid, UserId), - xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), - xdm.source.user.identity_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), - xdm.auth.privilege_level = if(userrole = "owner", XDM_CONST.PRIVILEGE_LEVEL_USER, userrole = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, members_role = "2", XDM_CONST.PRIVILEGE_LEVEL_GUEST, members_role = "1", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, members_role = "0", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), - xdm.source.user.identifier = coalesce(to_string(ActorYammerUserId), UserKey), - xdm.alert.subcategory = coalesce(verdict, investigationtype, Category, Scope_name), - xdm.event.description = coalesce(to_string(ModifiedProperties), to_string(messages), to_string(FileData), `fields`, ExtraProperties, details, detail, PolicyMatchInfo, to_string(Data), to_string(dataexporttype)), xdm.alert.description = to_string(AppAccessContext), - xdm.target.resource.id = itemid, - xdm.source.user_agent = useragent, - xdm.target.resource.type = ItemType, - xdm.source.ipv4 = src_ip_v4, - xdm.source.ipv6 = src_ip_v6, - xdm.target.file.size = FileSize, - xdm.email.return_path = p1sender, - xdm.email.message_id = coalesce(NetworkMessageId, to_string(messageid), internetmessageid), - xdm.target.file.file_type = FileType, - xdm.target.file.sha256 = `sha256`, - xdm.event.outcome = if(EnforcementMode = 1, XDM_CONST.OUTCOME_UNKNOWN, to_string(EnforcementMode) ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EnforcementMode = 4, XDM_CONST.OUTCOME_FAILED, EnforcementMode = 5, XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "partiallysucceeded", XDM_CONST.OUTCOME_PARTIAL, lowercase(ResultStatus) ~= "succe", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, lowercase(ResultStatus) = "true", XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "false", XDM_CONST.OUTCOME_FAILED), + xdm.alert.name = InvestigationName, + xdm.alert.original_alert_id = coalesce(InvestigationId, ActionId, AlertEntityId, AlertId), + xdm.alert.original_threat_name = replex(ThreatsAndDetectionTech, "[\"\[\]]", ""), + xdm.alert.severity = Severity, + xdm.alert.subcategory = coalesce(Verdict, InvestigationType, Category, Scope_name), + xdm.auth.privilege_level = if(UserRole = "owner", XDM_CONST.PRIVILEGE_LEVEL_USER, UserRole = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, members_role = "2", XDM_CONST.PRIVILEGE_LEVEL_GUEST, members_role = "1", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, members_role = "0", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), + xdm.email.message_id = coalesce(NetworkMessageId, to_string(MessageId), InternetMessageId), + xdm.email.recipients = if(arraystring(arraycreate(TargetUserId), ", ") != "", arraycreate(TargetUserId), arraystring(arraycreate(ReleaseTo), ", ") != "", arraycreate(ReleaseTo), arraymap(Recipients -> [], trim("@element", "\""))), + xdm.email.return_path = P1Sender, + xdm.email.sender = P2Sender, + xdm.email.subject = if(Subject != null, Subject, ItemName != null and RecordType in (43, 71, 72, 73, 75), ItemName), // For MIP events, fallback to ItemName (see https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#mip-label-schema) + xdm.event.description = coalesce(to_string(ModifiedProperties), to_string(Messages), to_string(FileData), `Fields`, ExtraProperties, Details, Detail, PolicyMatchInfo, to_string(Data), to_string(DataExportType)), + xdm.event.operation = if(Operation in("AttachmentAccess", "FileAccessed", "FileAccessedExtended", "FilePreviewed", "FileVisited", "SensitivityLabeledFileOpened"), XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation in ("FileCreated", "CreateFile"), XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation in ("FileDeleted", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "DeleteFileOrBlob"), XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation in ("FileModified", "FileModifiedExtended"), XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation in ("FileRenamed", "RenameFileOrDirectory", "SensitivityLabeledFileRenamed"), XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation in ("FolderCreated", "CreateFolder"), XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation in ("FolderDeleted", "DeleteFolder", "FolderDeletedFirstStageRecycleBin", "FolderDeletedSecondStageRecycleBin"), XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation in ("FolderModified", "UpdateFolder"), XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation in ("AddFolderPermissions", "UpdateFolderAccess"), XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation in ("FolderRenamed"), XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation), + xdm.event.operation_sub_type = coalesce(PolicyAction, Message, Operation), + xdm.event.original_event_type = coalesce(DetectionType, EntityType, to_string(RecordType)), + xdm.event.outcome = if(EnforcementMode = 1, XDM_CONST.OUTCOME_UNKNOWN, to_string(EnforcementMode) ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EnforcementMode = 4, XDM_CONST.OUTCOME_FAILED, EnforcementMode = 5, XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "partiallysucceeded", XDM_CONST.OUTCOME_PARTIAL, lowercase(ResultStatus) ~= "succe", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, lowercase(ResultStatus) = "true", XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "false", XDM_CONST.OUTCOME_FAILED), xdm.event.outcome_reason = coalesce(Reason, translate_EnforcementMode, ResultStatus), - xdm.observer.action = coalesce(to_string(actions), Status, translate_EnforcementMode), + xdm.network.http.url = coalesce(EventDeepLink, DeeplinkURL), xdm.network.rule = Name, - xdm.source.host.hostname = coalesce(entityname, DeviceName), - xdm.alert.severity = Severity, - xdm.alert.name = investigationname, + xdm.observer.action = coalesce(to_string(Actions), Status, translate_EnforcementMode), + xdm.observer.type = if(Workload != null, Workload, SourceWorkload = 0, "SharePoint Online", SourceWorkload = 1, "OneDrive for Business", SourceWorkload = 2, "Microsoft Teams", Source), xdm.source.application.name = SourceApp, - xdm.email.subject = coalesce(itemname, subject), - xdm.target.user.identifier = targetyammeruserid, - xdm.alert.original_threat_name = replex(ThreatsAndDetectionTech, "[\"\[\]]", ""), - xdm.target.url = url, - xdm.network.http.url = coalesce(eventdeeplink, deeplinkurl), + xdm.source.host.device_id = EntityId, + xdm.source.host.hostname = coalesce(EntityName, DeviceName), + xdm.source.host.ipv4_addresses = if(array_length(src_ipv4_addresses) > 0, src_ipv4_addresses), + xdm.source.host.ipv4_public_addresses = if(array_length(src_ipv4_public_addresses) > 0, src_ipv4_public_addresses), + xdm.source.host.ipv6_addresses = if(array_length(src_ipv6_addresses) > 0, src_ipv6_addresses), + xdm.source.host.os_family = if(platform_lowercase ~= "win|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, platform_lowercase ~= "mac|osx", XDM_CONST.OS_FAMILY_MACOS, platform_lowercase ~= "linux", XDM_CONST.OS_FAMILY_LINUX, platform_lowercase ~= "android", XDM_CONST.OS_FAMILY_ANDROID, platform_lowercase ~= "ios", XDM_CONST.OS_FAMILY_IOS, platform_lowercase ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, platform_lowercase ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, platform_lowercase ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, platform_lowercase ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, platform_lowercase ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, platform_lowercase ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, platform_lowercase ~= "scada", XDM_CONST.OS_FAMILY_SCADA), + xdm.source.interface = src_interface, + xdm.source.ipv4 = arrayindex(src_ipv4_addresses, 0), + xdm.source.ipv6 = arrayindex(src_ipv6_addresses, 0), + xdm.source.port = to_integer(src_port), xdm.source.process.name = if(Application ~= "\.[Ee][Xx][Ee]", Application), - xdm.observer.type = coalesce(sourceworkload_name, Source, Workload); - + xdm.source.user_agent = UserAgent, + xdm.source.user.identifier = coalesce(to_string(ActorYammerUserId), UserKey), + xdm.source.user.identity_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), + xdm.source.user.upn = coalesce(UserId, ActorUserId), + xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.source.user.username = coalesce(UserName, members_displayname), + xdm.target.file.extension = coalesce(FileExtension, filename_extension, object_id_file_extension), + xdm.target.file.file_type = FileType, + xdm.target.file.filename = coalesce(filename_name, object_id_file_name), + xdm.target.file.path = object_id_file_path, + xdm.target.file.sha256 = `Sha256`, + xdm.target.file.size = FileSize, + xdm.target.resource.id = ItemId, + xdm.target.resource.name = if(FormName != null, FormName, ObjectId ~= "\S+", rtrim(ltrim(ObjectId, "<"), ">")), + xdm.target.resource.type = ItemType, + xdm.target.url = Url, + xdm.target.user.identifier = TargetYammerUserId, + xdm.target.user.upn = members_upn; [MODEL: dataset="msft_o365_exchange_online_raw"] call o365_common_fields | alter - LogonType = to_integer(LogonType), + AttachmentSizeInBytes = to_integer(AttachmentSizeInBytes), InternalLogonType = to_integer(InternalLogonType), + LogonType = to_integer(LogonType), Scope = to_integer(Scope), - AttachmentSizeInBytes = to_integer(AttachmentSizeInBytes) + object_id_file_name = arrayindex(regextract(ObjectId, ".+[\\\/]([^\\\/]+)$"), 0), + object_id_file_path = arrayindex(regextract(ObjectId, "(.+)[\\\/][^\\\/]+$"), 0) | alter + client_ip = coalesce(ClientIPAddress, ClientIP), user_logon_type = to_string(coalesce(LogonType, InternalLogonType)), user_type_string = to_string(UserType), - get_src_ip = coalesce(ClientIPAddress, ClientIP), - check_objectid_filepath = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "")) + object_id_file_extension = arrayindex(regextract(object_id_file_name, "\.([^.]+)$"), 0) // extract trailing suffix after last period | alter - objectid_clean = if(ObjectId = null, null, ObjectId ~= "^\s*$", null, ObjectId), - check_src_ipv4 = if(get_src_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", get_src_ip, null), - check_src_ipv6 = if(get_src_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", get_src_ip, null) + client_ipv4_addresses = arraydistinct(regextract(client_ip, "((?:\d{1,3}\.){3}\d{1,3})")), + client_ipv6_addresses = arraydistinct(regextract(client_ip, "((?:[:]{2}[fF]{4}:(?:\d{1,3}\.){3}\d{1,3})|(?:(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}))")), + client_interface = arrayindex(regextract(client_ip, "%(\d+)"), 0), // extract interface identifier from the ClientIP if such exists + client_port = arrayindex(regextract(client_ip, "[^\:]+:(\d{1,5})$"), 0) // extract port from the ClientIP if such exists */ +| alter client_ipv4_public_addresses = arrayfilter(client_ipv4_addresses, not incidr("@element", "10.0.0.0/8") and not incidr("@element", "172.16.0.0/12") and not incidr("@element", "192.168.0.0/16") and not incidr("@element", "127.0.0.0/8") and not incidr("@element", "169.254.0.0/16") and not incidr("@element", "100.64.0.0/10")) | alter - xdm.target.resource.name = coalesce(ModifiedObjectResolvedName, objectid_clean), - xdm.target.file.path = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", ObjectId, null), - xdm.event.operation_sub_type = Operation, - xdm.event.operation = if(Operation = "AttachmentAccess", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation ~= "FileCreated", XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileAccessed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileAccessedExtended", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FilePreviewed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRenamed", XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation = "FileCheckOutDiscarded", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRestored", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FolderCreated", XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation = "FolderDeleted", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderModified", XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation = "FolderRecycled", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRenamed", XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE), - xdm.target.file.filename = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.\S+$"), ""), null), - xdm.target.file.extension = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.(\S+)$"), ""), null), - xdm.event.original_event_type = to_string(RecordType), - xdm.event.description = coalesce(to_string(AffectedItems), to_string(ModifiedProperties)), + xdm.alert.description = to_string(AppAccessContext), xdm.alert.subcategory = if(Scope = 0, "Online", Scope = 1, "Onprem"), - xdm.source.host.hostname = ClientMachineName, - xdm.source.cloud.project = OrganizationName, - xdm.source.user.user_type = if(user_logon_type ~= "3|4", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, user_logon_type ~= "0|1|2|5|6", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), - xdm.source.user.identity_type = if(user_logon_type ~= "3|4", XDM_CONST.IDENTITY_TYPE_MACHINE, user_logon_type ~= "0|1|2|5|6", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), xdm.auth.privilege_level = if(user_logon_type ~= "3|4", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM, user_logon_type ~= "1|6", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_logon_type ~= "0|2|5", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), - xdm.event.outcome = if(ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), - xdm.source.user.upn = coalesce(MailboxOwnerUPN, UserId), + xdm.email.attachment.size = AttachmentSizeInBytes, + xdm.email.bcc = arraymap(ExchangeMetaData -> BCC[], replex("@element", "\"", "")), + xdm.email.cc = arraymap(ExchangeMetaData -> CC[], replex("@element", "\"", "")), + xdm.email.data = to_string(OperationProperties), xdm.email.message_id = coalesce(Item -> InternetMessageId, ExchangeMetaData -> MessageID, MailboxGuid), + xdm.email.origination_timestamp = parse_timestamp( "%Y-%m-%dT%H:%M:%S", ExchangeMetaData -> Sent), + xdm.email.recipients = if(array_length(receivers -> []) > 0, arraymap(receivers -> [], trim("@element", "\"")), arraymap(ExchangeMetaData -> To[], trim("@element", "\""))), + xdm.email.sender = coalesce(ExchangeMetaData -> From, Sender), + xdm.email.subject = coalesce(replex(Item -> Subject, "\"", ""), replex(ExchangeMetaData -> Subject, "\"", "")), + xdm.event.description = coalesce(to_string(AffectedItems), to_string(ModifiedProperties)), + xdm.event.operation = if(Operation in("AttachmentAccess", "FileAccessed", "FileAccessedExtended", "FilePreviewed", "FileVisited", "SensitivityLabeledFileOpened"), XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation in ("FileCreated", "CreateFile"), XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation in ("FileDeleted", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "DeleteFileOrBlob"), XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation in ("FileModified", "FileModifiedExtended"), XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation in ("FileRenamed", "RenameFileOrDirectory", "SensitivityLabeledFileRenamed"), XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation in ("FolderCreated", "CreateFolder"), XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation in ("FolderDeleted", "DeleteFolder", "FolderDeletedFirstStageRecycleBin", "FolderDeletedSecondStageRecycleBin"), XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation in ("FolderModified", "UpdateFolder"), XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation in ("AddFolderPermissions", "UpdateFolderAccess"), XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation in ("FolderRenamed"), XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation), + xdm.event.operation_sub_type = Operation, + xdm.event.original_event_type = to_string(RecordType), + xdm.event.outcome = if(ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), + xdm.intermediate.host.hostname = arrayindex(regextract(OriginatingServer, "(\S+)"), 0), xdm.intermediate.user.identifier = MailboxOwnerSid, - xdm.source.user.identifier = coalesce(LogonUserSid, UserKey), - xdm.source.user.username = LogonUserDisplayName, - xdm.intermediate.host.hostname = OriginatingServer, - xdm.observer.type = Workload, - xdm.source.ipv4 = check_src_ipv4, - xdm.source.ipv6 = check_src_ipv6, - xdm.source.application.name = ClientApplication, - xdm.email.attachment.size = AttachmentSizeInBytes, - xdm.alert.description = to_string(AppAccessContext), xdm.network.rule = to_string(PolicyDetails), - xdm.email.subject = coalesce(replex(Item -> Subject, "\"", ""), replex(ExchangeMetaData -> Subject, "\"", "")), + xdm.observer.type = Workload, + xdm.source.application.name = ClientApplication, + xdm.source.cloud.project = OrganizationName, + xdm.source.host.hostname = ClientMachineName, + xdm.source.host.ipv4_addresses = if(array_length(client_ipv4_addresses) > 0, client_ipv4_addresses), + xdm.source.host.ipv4_public_addresses = if(array_length(client_ipv4_public_addresses) > 0, client_ipv4_public_addresses), + xdm.source.host.ipv6_addresses = if(array_length(client_ipv6_addresses) > 0, client_ipv6_addresses), + xdm.source.interface = client_interface, + xdm.source.ipv4 = arrayindex(client_ipv4_addresses, 0), + xdm.source.ipv6 = arrayindex(client_ipv6_addresses, 0), + xdm.source.port = to_integer(client_port), + xdm.source.process.executable.extension = arraystring(regextract(ClientProcessName, "^\S+\.(\S+)"), ""), xdm.source.process.name = arraystring(regextract(ClientProcessName, "^(\S+)\.\S+"), ""), - xdm.email.sender = coalesce(ExchangeMetaData -> From, sender), - xdm.email.recipients = if(array_length(receivers -> []) > 0, arraymap(receivers -> [], trim("@element", "\"")), arraymap(ExchangeMetaData -> To[], trim("@element", "\""))), - xdm.email.cc = arraymap(ExchangeMetaData -> CC[], replex("@element", "\"", "")), - xdm.email.bcc = arraymap(ExchangeMetaData -> BCC[], replex("@element", "\"", "")), - xdm.email.origination_timestamp = parse_timestamp( "%Y-%m-%dT%H:%M:%S", ExchangeMetaData -> Sent), - xdm.email.data = to_string(OperationProperties), - xdm.source.process.executable.extension = arraystring(regextract(ClientProcessName, "^\S+\.(\S+)"), ""); + xdm.source.user.identifier = coalesce(LogonUserSid, UserKey), + xdm.source.user.identity_type = if(user_logon_type ~= "3|4", XDM_CONST.IDENTITY_TYPE_MACHINE, user_logon_type ~= "0|1|2|5|6", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), + xdm.source.user.upn = coalesce(UserId), + xdm.source.user.user_type = if(user_logon_type ~= "3|4", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, user_logon_type ~= "0|1|2|5|6", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.source.user.username = LogonUserDisplayName, + xdm.target.file.extension = object_id_file_extension, + xdm.target.file.filename = object_id_file_name, + xdm.target.file.path = object_id_file_path, + xdm.target.resource.name = if(ModifiedObjectResolvedName != null, ModifiedObjectResolvedName, ObjectId ~= "\S+", rtrim(ltrim(ObjectId, "<"), ">")); [MODEL: dataset="msft_o365_sharepoint_online_raw"] call o365_common_fields | alter - Scope = to_integer(Scope) -| alter - check_objectid_filepath = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), ""), null), - sourcefilename_filename = arraystring(regextract(SourceFileName, "^\S+\.\S+"), ""), - sourcefilename_filextension = arraystring(regextract(SourceFileName, "^\S+\.(\S+)"), "") + Scope = to_integer(Scope), + object_id_file_name = arrayindex(regextract(ObjectId, ".+[\\\/]([^\\\/]+)$"), 0), + object_id_file_path = arrayindex(regextract(ObjectId, "(.+)[\\\/][^\\\/]+$"), 0) | alter platform_lowercase = lowercase(to_string(Platform)), user_type_string = to_string(UserType), SharePointMetaData_FileName_name = SharePointMetaData -> FileName, - SharePointMetaData_FileName_extension = arraystring(regextract(SharePointMetaData -> FileName, "^\S+\.(\S+)"), ""), - objectid_filepath = if(ObjectId ~= "\\|\/", ObjectId, null), - objectid_filename = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.\S+$"), ""), null), - objectid_filextension = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.(\S+)$"), ""), null), - check_sourcefilename_filename = if(sourcefilename_filename ~= "^\s*$", null, sourcefilename_filename), - check_sourcefilename_filextension = if(sourcefilename_filextension ~= "^\s*$", null, sourcefilename_filextension), - destinationfilename_filextension = arraystring(regextract(DestinationFileName, "^\S+\.(\S+)"), ""), - src_ip_v4 = if(ClientIP ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", ClientIP, null), - src_ip_v6 = if(ClientIP ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", ClientIP, null) + SharePointMetaData_FileName_extension = arrayindex(regextract(SharePointMetaData -> FileName, "\.([^.]+)$"), 0), // extract trailing suffix after last period + object_id_file_extension = arrayindex(regextract(object_id_file_name, "\.([^.]+)$"), 0), // extract trailing suffix after last period + client_ipv4_addresses = arraydistinct(regextract(ClientIP, "((?:\d{1,3}\.){3}\d{1,3})")), + client_ipv6_addresses = arraydistinct(regextract(ClientIP, "((?:[:]{2}[fF]{4}:(?:\d{1,3}\.){3}\d{1,3})|(?:(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}))")), + client_interface = arrayindex(regextract(ClientIP, "%(\d+)"), 0), // extract interface identifier from the ClientIP if such exists + client_port = arrayindex(regextract(ClientIP, "[^\:]+:(\d{1,5})$"), 0) // extract port from the ClientIP if such exists +| alter client_ipv4_public_addresses = arrayfilter(client_ipv4_addresses, not incidr("@element", "10.0.0.0/8") and not incidr("@element", "172.16.0.0/12") and not incidr("@element", "192.168.0.0/16") and not incidr("@element", "127.0.0.0/8") and not incidr("@element", "169.254.0.0/16") and not incidr("@element", "100.64.0.0/10")) | alter - xdm.target.resource.id = Site, - xdm.target.url = SiteUrl, - xdm.event.operation_sub_type = Operation, - xdm.event.operation = if(Operation = "AttachmentAccess", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation ~= "FileCreated", XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileAccessed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileAccessedExtended", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FilePreviewed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRenamed", XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation = "FileCheckOutDiscarded", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRestored", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FolderCreated", XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation = "FolderDeleted", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderModified", XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation = "FolderRecycled", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRenamed", XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE), - xdm.target.resource.type = ItemType, + xdm.alert.description = to_string(AppAccessContext), + xdm.alert.severity = Severity, xdm.alert.subcategory = if(Scope = 0, "Online", Scope = 1, "Onprem"), + xdm.auth.auth_method = AuthenticationType, + xdm.auth.privilege_level = if(user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), + xdm.event.description = to_string(ModifiedProperties), + xdm.event.operation = if(Operation in("AttachmentAccess", "FileAccessed", "FileAccessedExtended", "FilePreviewed", "FileVisited", "SensitivityLabeledFileOpened"), XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation in ("FileCreated", "CreateFile"), XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation in ("FileDeleted", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "DeleteFileOrBlob"), XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation in ("FileModified", "FileModifiedExtended"), XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation in ("FileRenamed", "RenameFileOrDirectory", "SensitivityLabeledFileRenamed"), XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation in ("FolderCreated", "CreateFolder"), XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation in ("FolderDeleted", "DeleteFolder", "FolderDeletedFirstStageRecycleBin", "FolderDeletedSecondStageRecycleBin"), XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation in ("FolderModified", "UpdateFolder"), XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation in ("AddFolderPermissions", "UpdateFolderAccess"), XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation in ("FolderRenamed"), XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation), + xdm.event.operation_sub_type = Operation, + xdm.event.original_event_type = to_string(RecordType), + xdm.event.outcome = if(ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), xdm.network.http.browser = if(BrowserName = null, null, BrowserName ~= "^\s*$", null, BrowserName), + xdm.network.rule = to_string(PolicyDetails), + xdm.observer.action = to_string(ExceptionInfo), xdm.observer.name = EventSource, - xdm.source.user.upn = coalesce(SharePointMetaData -> From, UserId), - xdm.alert.severity = Severity, + xdm.observer.type = coalesce(Workload, Source), + xdm.source.application.name = ApplicationDisplayName, + xdm.source.host.ipv4_addresses = if(array_length(client_ipv4_addresses) > 0, client_ipv4_addresses), + xdm.source.host.ipv4_public_addresses = if(array_length(client_ipv4_public_addresses) > 0, client_ipv4_public_addresses), + xdm.source.host.ipv6_addresses = if(array_length(client_ipv6_addresses) > 0, client_ipv6_addresses), + xdm.source.host.os_family = if(platform_lowercase ~= "win|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, platform_lowercase ~= "mac|osx", XDM_CONST.OS_FAMILY_MACOS, platform_lowercase ~= "linux|wac", XDM_CONST.OS_FAMILY_LINUX, platform_lowercase ~= "android", XDM_CONST.OS_FAMILY_ANDROID, platform_lowercase ~= "ios", XDM_CONST.OS_FAMILY_IOS, platform_lowercase ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, platform_lowercase ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, platform_lowercase ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, platform_lowercase ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, platform_lowercase ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, platform_lowercase ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, platform_lowercase ~= "scada", XDM_CONST.OS_FAMILY_SCADA), + xdm.source.interface = client_interface, + xdm.source.ipv4 = arrayindex(client_ipv4_addresses, 0), + xdm.source.ipv6 = arrayindex(client_ipv6_addresses, 0), + xdm.source.port = to_integer(client_port), xdm.source.user_agent = if(UserAgent = null, null, UserAgent ~= "^\s*$", null, UserAgent), xdm.source.user.identifier = UserKey, - xdm.observer.type = coalesce(Source, Workload), - xdm.auth.auth_method = AuthenticationType, - xdm.source.ipv4 = src_ip_v4, - xdm.source.ipv6 = src_ip_v6, - xdm.target.user.upn = if(targetuserorgroupname ~= "@", targetuserorgroupname), - xdm.target.user.groups = if(targetuserorgroupname !~= "@", arraycreate(targetuserorgroupname)), - xdm.source.host.os_family = if(platform_lowercase ~= "win|microsoft", XDM_CONST.OS_FAMILY_WINDOWS, platform_lowercase ~= "mac|osx", XDM_CONST.OS_FAMILY_MACOS, platform_lowercase ~= "linux|wac", XDM_CONST.OS_FAMILY_LINUX, platform_lowercase ~= "android", XDM_CONST.OS_FAMILY_ANDROID, platform_lowercase ~= "ios", XDM_CONST.OS_FAMILY_IOS, platform_lowercase ~= "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, platform_lowercase ~= "debian", XDM_CONST.OS_FAMILY_DEBIAN, platform_lowercase ~= "fedora", XDM_CONST.OS_FAMILY_FEDORA, platform_lowercase ~= "centos", XDM_CONST.OS_FAMILY_CENTOS, platform_lowercase ~= "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, platform_lowercase ~= "solaris", XDM_CONST.OS_FAMILY_SOLARIS, platform_lowercase ~= "scada", XDM_CONST.OS_FAMILY_SCADA), - xdm.source.application.name = ApplicationDisplayName, - xdm.event.original_event_type = to_string(RecordType), - xdm.event.description = to_string(ModifiedProperties), - xdm.alert.description = to_string(AppAccessContext), - xdm.target.file.size = to_integer(SharePointMetaData -> FileSize), - xdm.target.file.path = coalesce(SharePointMetaData -> FilePathUrl, objectid_filepath), - xdm.target.file.filename = coalesce(SharePointMetaData_FileName_name, DestinationFileName, check_sourcefilename_filename, objectid_filename), - xdm.target.file.extension = coalesce(SharePointMetaData_FileName_extension, destinationfilename_filextension, check_sourcefilename_filextension, objectid_filextension), - xdm.target.resource.name = if(ObjectId = null, null, ObjectId ~= "^\s*$", null, ObjectId), - xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), xdm.source.user.identity_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), - xdm.auth.privilege_level = if(user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), - xdm.observer.action = to_string(ExceptionInfo), - xdm.network.rule = to_string(PolicyDetails), - xdm.event.outcome = if(ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED); - + xdm.source.user.upn = coalesce(UserId, SharePointMetaData -> From), + xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.target.file.extension = coalesce(SharePointMetaData_FileName_extension, DestinationFileExtension, SourceFileExtension, object_id_file_extension), // extract trailing suffix after last period + xdm.target.file.filename = coalesce(SharePointMetaData_FileName_name, DestinationFileName, SourceFileName, object_id_file_name), + xdm.target.file.path = coalesce(SharePointMetaData -> FilePathUrl, object_id_file_path), + xdm.target.file.size = to_integer(SharePointMetaData -> FileSize), + xdm.target.resource.id = Site, + xdm.target.resource.name = if(ObjectId ~= "\S+", rtrim(ltrim(ObjectId, "<"), ">")), + xdm.target.resource.type = ItemType, + xdm.target.url = SiteUrl, + xdm.target.user.groups = if(TargetUserOrGroupName !~= "@", arraycreate(TargetUserOrGroupName)), + xdm.target.user.upn = if(TargetUserOrGroupName ~= "@", TargetUserOrGroupName); [MODEL: dataset="msft_o365_dlp_raw"] call o365_common_fields | alter - Scope = to_integer(Scope) -| alter + Scope = to_integer(Scope), SharePointMetaData_FileName = SharePointMetaData -> FileName, SharePointMetaData_FilePathUrl = SharePointMetaData -> FilePathUrl, EndpointMetaData_EnforcementMode = EndpointMetaData -> EnforcementMode, - EndpointMetaData_FileExtension = EndpointMetaData -> FileExtension, + EndpointMetaData_FileExtension = EndpointMetaData -> FileExtension, // extract trailing suffix after last period user_type_string = to_string(UserType), - check_objectid_filepath = if(arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "") ~= "\.", arraystring(regextract(ObjectId, "^.+[\/\\]([^\/\\]+)$"), "")) + object_id_file_name = arrayindex(regextract(ObjectId, ".+[\\\/]([^\\\/]+)$"), 0), + object_id_file_path = arrayindex(regextract(ObjectId, "(.+)[\\\/][^\\\/]+$"), 0) | alter + object_id_file_extension = arrayindex(regextract(object_id_file_name, "\.([^.]+)$"), 0), // extract trailing suffix after last period translate_EnforcementMode = if(EndpointMetaData_EnforcementMode = "1", "Audit", EndpointMetaData_EnforcementMode = "2", "Warn (Block with override)", EndpointMetaData_EnforcementMode = "3", "Warn and bypass", EndpointMetaData_EnforcementMode = "4", "Block", EndpointMetaData_EnforcementMode = "5", "Allow (Audit without alerts)"), SharePointMetaData_FileName_name = arrayindex(split(SharePointMetaData_FileName, """\\"""), -1), - SharePointMetaData_FileName_extension = arraystring(regextract(SharePointMetaData_FileName, "\S+\.(\S+)$"), ""), - ObjectId_path = if(ObjectId ~= "\\|\/", ObjectId, null), - ObjectId_name = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.\S+$"), ""), null), - ObjectId_extension = if(check_objectid_filepath != null, arraystring(regextract(check_objectid_filepath, "\S+\.(\S+)$"), ""), null) + SharePointMetaData_FileName_extension = arrayindex(regextract(SharePointMetaData_FileName, "\.([^.]+)$"), 0) // extract trailing suffix after last period | alter - xdm.source.user.username = SharePointMetaData -> From, - xdm.network.http.url = SharePointMetaData -> SiteCollectionUrl, - xdm.target.file.path = coalesce(SharePointMetaData_FilePathUrl, ObjectId_path), - xdm.target.file.filename = coalesce(SharePointMetaData_FileName_name, ObjectId_name), - xdm.target.file.extension = coalesce(SharePointMetaData_FileName_extension, EndpointMetaData_FileExtension, ObjectId_extension), - xdm.event.original_event_type = to_string(RecordType), - xdm.event.operation_sub_type = Operation, - xdm.event.operation = if(Operation = "AttachmentAccess", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation ~= "FileCreated", XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileAccessed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileAccessedExtended", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FilePreviewed", XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRenamed", XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation = "FileCheckOutDiscarded", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FileDeleted", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation = "FileModified", XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation = "FileRestored", XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE, Operation = "FolderCreated", XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation = "FolderDeleted", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedFirstStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderDeletedSecondStageRecycleBin", XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation = "FolderModified", XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation = "FolderRecycled", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRenamed", XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation = "FolderRestored", XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE), + xdm.alert.description = to_string(AppAccessContext), xdm.alert.subcategory = if(Scope = 0, "Online", Scope = 1, "Onprem"), - xdm.target.url = SharePointMetaData -> FilePathUrl, - xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), - xdm.source.user.identity_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), xdm.auth.privilege_level = if(user_type_string ~= "0|1", XDM_CONST.PRIVILEGE_LEVEL_USER, user_type_string ~= "2|3", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, user_type_string ~= "4|5|6|7|8", XDM_CONST.PRIVILEGE_LEVEL_SYSTEM), - xdm.event.outcome = if(EndpointMetaData_EnforcementMode = "1", XDM_CONST.OUTCOME_UNKNOWN, EndpointMetaData_EnforcementMode ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EndpointMetaData_EnforcementMode = "4", XDM_CONST.OUTCOME_FAILED, EndpointMetaData_EnforcementMode = "5", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), - xdm.event.outcome_reason = coalesce(translate_EnforcementMode, ResultStatus), - xdm.observer.action = coalesce(translate_EnforcementMode, to_string(ExceptionInfo), ResultStatus), xdm.email.attachment.size = coalesce(to_integer(ExchangeMetaData -> FileSize), to_integer(SharePointMetaData -> FileSize)), + xdm.email.bcc = arraymap(ExchangeMetaData -> BCC[], replex("@element", "\"", "")), + xdm.email.cc = arraymap(ExchangeMetaData -> CC[], replex("@element", "\"", "")), xdm.email.message_id = ExchangeMetaData -> MessageID, - xdm.email.sender = ExchangeMetaData -> From, + xdm.email.origination_timestamp = parse_timestamp( "%Y-%m-%dT%H:%M:%S", ExchangeMetaData -> Sent), xdm.email.recipients = arraymap(ExchangeMetaData -> To[], replex("@element", "\"", "")), - xdm.email.cc = arraymap(ExchangeMetaData -> CC[], replex("@element", "\"", "")), - xdm.email.bcc = arraymap(ExchangeMetaData -> BCC[], replex("@element", "\"", "")), + xdm.email.sender = ExchangeMetaData -> From, xdm.email.subject = ExchangeMetaData -> Subject, - xdm.email.origination_timestamp = parse_timestamp( "%Y-%m-%dT%H:%M:%S", ExchangeMetaData -> Sent), + xdm.event.operation = if(Operation in("AttachmentAccess", "FileAccessed", "FileAccessedExtended", "FilePreviewed", "FileVisited", "SensitivityLabeledFileOpened"), XDM_CONST.OPERATION_TYPE_FILE_OPEN, Operation in ("FileCreated", "CreateFile"), XDM_CONST.OPERATION_TYPE_FILE_CREATE, Operation in ("FileDeleted", "FileDeletedFirstStageRecycleBin", "FileDeletedSecondStageRecycleBin", "DeleteFileOrBlob"), XDM_CONST.OPERATION_TYPE_FILE_REMOVE, Operation in ("FileModified", "FileModifiedExtended"), XDM_CONST.OPERATION_TYPE_FILE_WRITE, Operation in ("FileRenamed", "RenameFileOrDirectory", "SensitivityLabeledFileRenamed"), XDM_CONST.OPERATION_TYPE_FILE_RENAME, Operation in ("FolderCreated", "CreateFolder"), XDM_CONST.OPERATION_TYPE_DIR_CREATE, Operation in ("FolderDeleted", "DeleteFolder", "FolderDeletedFirstStageRecycleBin", "FolderDeletedSecondStageRecycleBin"), XDM_CONST.OPERATION_TYPE_DIR_REMOVE, Operation in ("FolderModified", "UpdateFolder"), XDM_CONST.OPERATION_TYPE_DIR_WRITE, Operation in ("AddFolderPermissions", "UpdateFolderAccess"), XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE, Operation in ("FolderRenamed"), XDM_CONST.OPERATION_TYPE_DIR_RENAME, Operation), + xdm.event.operation_sub_type = Operation, + xdm.event.original_event_type = to_string(RecordType), + xdm.event.outcome = if(EndpointMetaData_EnforcementMode = "1", XDM_CONST.OUTCOME_UNKNOWN, EndpointMetaData_EnforcementMode ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EndpointMetaData_EnforcementMode = "4", XDM_CONST.OUTCOME_FAILED, EndpointMetaData_EnforcementMode = "5", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED), + xdm.event.outcome_reason = coalesce(translate_EnforcementMode, ResultStatus), + xdm.network.http.url = SharePointMetaData -> SiteCollectionUrl, + xdm.network.rule = to_string(PolicyDetails), + xdm.observer.action = coalesce(translate_EnforcementMode, to_string(ExceptionInfo), ResultStatus), + xdm.observer.type = coalesce(Workload, evaluationsource), + xdm.source.user.identifier = UserKey, + xdm.source.user.identity_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.IDENTITY_TYPE_USER, user_type_string ~= "4|5|6|7|8", XDM_CONST.IDENTITY_TYPE_MACHINE), + xdm.source.user.upn = UserId, + xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.source.user.username = SharePointMetaData -> From, + xdm.target.file.extension = coalesce(SharePointMetaData_FileName_extension, EndpointMetaData_FileExtension, object_id_file_extension), xdm.target.file.file_type = EndpointMetaData -> FileType, + xdm.target.file.filename = coalesce(SharePointMetaData_FileName_name, object_id_file_name), + xdm.target.file.path = coalesce(SharePointMetaData_FilePathUrl, object_id_file_path), xdm.target.host.hostname = EndpointMetaData -> DeviceName, - xdm.observer.type = coalesce(evaluationsource, Workload), - xdm.source.user.upn = UserId, - xdm.source.user.identifier = UserKey, - xdm.target.resource.name = if(ObjectId = null, null, ObjectId ~= "^\s*$", null, ObjectId), - xdm.alert.description = to_string(AppAccessContext), - xdm.network.rule = to_string(PolicyDetails); + xdm.target.resource.name = if(ObjectId ~= "\S+", rtrim(ltrim(ObjectId, "<"), ">")), + xdm.target.url = SharePointMetaData -> FilePathUrl; + [MODEL: dataset = "msft_o365_emails_raw"] alter - xdm.email.message_id = InternetMessageId, - xdm.source.user.username = coalesce(sender -> emailAddress.name, From -> emailAddress.name), - xdm.email.sender = coalesce(sender -> emailAddress.address, From -> emailAddress.address), - xdm.observer.unique_identifier = webLink, - xdm.email.recipients = arraymap(toRecipients -> [], "@element"-> emailAddress.address), + xdm.alert.severity = importance, + xdm.email.attachment.filename = arraystring(arraymap(Attachments -> [], "@element"-> name), "|"), xdm.email.cc = arraymap(ccRecipients -> [], "@element"-> emailAddress.address), - // xdm.email.bcc = arraymap(bccRecipients -> [], "@element"-> emailAddress.address), - xdm.email.attachment.filename = arraystring(arraymap(attachments -> [], "@element"-> name), "|"), xdm.email.data = to_string(internetMessageHeaders), - xdm.alert.severity = importance; + xdm.email.message_id = InternetMessageId, + xdm.email.recipients = arraymap(toRecipients -> [], "@element"-> emailAddress.address), + xdm.email.sender = coalesce(Sender -> emailAddress.address, From -> emailAddress.address), + xdm.observer.unique_identifier = webLink, + xdm.source.user.username = coalesce(Sender -> emailAddress.name, From -> emailAddress.name); \ No newline at end of file diff --git a/Packs/Office365/ModelingRules/Office365/Office365_schema.json b/Packs/Office365/ModelingRules/Office365/Office365_schema.json index c4569f38c76c..7217e033b4c9 100644 --- a/Packs/Office365/ModelingRules/Office365/Office365_schema.json +++ b/Packs/Office365/ModelingRules/Office365/Office365_schema.json @@ -1,74 +1,82 @@ { "msft_o365_general_raw": { - "Id": { + "ActionId": { "type": "string", "is_array": false }, - "OrganizationId": { + "Actions": { "type": "string", "is_array": false }, - "AppAccessContext": { + "ActorUserId": { "type": "string", "is_array": false }, - "Platform": { + "ActorYammerUserId": { + "type": "int", + "is_array": false + }, + "AlertEntityId": { "type": "string", "is_array": false }, - "userip": { + "AlertId": { "type": "string", "is_array": false }, - "senderip": { + "AppAccessContext": { "type": "string", "is_array": false }, - "ClientIP": { + "Application": { "type": "string", "is_array": false }, - "filename": { + "Category": { "type": "string", "is_array": false }, - "members": { + "ClientIP": { "type": "string", "is_array": false }, - "ObjectId": { + "Data": { "type": "string", "is_array": false }, - "policyaction": { + "DataExportType": { "type": "string", "is_array": false }, - "message": { + "DeeplinkURL": { "type": "string", "is_array": false }, - "Operation": { + "Detail": { "type": "string", "is_array": false }, - "InvestigationId": { + "Details": { "type": "string", "is_array": false }, - "actionid": { + "DetectionType": { "type": "string", "is_array": false }, - "AlertEntityId": { + "DeviceName": { "type": "string", "is_array": false }, - "AlertId": { + "EnforcementMode": { + "type": "int", + "is_array": false + }, + "EntityId": { "type": "string", "is_array": false }, - "detectiontype": { + "EntityName": { "type": "string", "is_array": false }, @@ -76,147 +84,147 @@ "type": "string", "is_array": false }, - "FileExtension": { + "EventDeepLink": { "type": "string", "is_array": false }, - "formname": { + "ExtraProperties": { "type": "string", "is_array": false }, - "EntityId": { + "Fields": { "type": "string", "is_array": false }, - "p2sender": { + "FileData": { "type": "string", "is_array": false }, - "targetuserid": { + "FileExtension": { "type": "string", "is_array": false }, - "ReleaseTo": { + "FileName": { "type": "string", "is_array": false }, - "recipients": { - "type": "string", + "FileSize": { + "type": "int", "is_array": false }, - "username": { + "FileType": { "type": "string", "is_array": false }, - "actoruserid": { + "FormName": { "type": "string", "is_array": false }, - "UserId": { + "Id": { "type": "string", "is_array": false }, - "userrole": { + "InternetMessageId": { "type": "string", "is_array": false }, - "ActorYammerUserId": { - "type": "int", + "InvestigationId": { + "type": "string", "is_array": false }, - "UserKey": { + "InvestigationName": { "type": "string", "is_array": false }, - "verdict": { + "InvestigationType": { "type": "string", "is_array": false }, - "investigationtype": { + "ItemId": { "type": "string", "is_array": false }, - "Category": { + "ItemName": { "type": "string", "is_array": false }, - "ModifiedProperties": { + "ItemType": { "type": "string", "is_array": false }, - "messages": { + "Members": { "type": "string", "is_array": false }, - "FileData": { + "Message": { "type": "string", "is_array": false }, - "fields": { + "MessageId": { "type": "string", "is_array": false }, - "ExtraProperties": { + "Messages": { "type": "string", "is_array": false }, - "details": { + "ModifiedProperties": { "type": "string", "is_array": false }, - "detail": { + "Name": { "type": "string", "is_array": false }, - "PolicyMatchInfo": { + "NetworkMessageId": { "type": "string", "is_array": false }, - "Data": { + "ObjectId": { "type": "string", "is_array": false }, - "dataexporttype": { + "Operation": { "type": "string", "is_array": false }, - "itemid": { + "OrganizationId": { "type": "string", "is_array": false }, - "useragent": { + "P1Sender": { "type": "string", "is_array": false }, - "ItemType": { + "P2Sender": { "type": "string", "is_array": false }, - "p1sender": { + "Platform": { "type": "string", "is_array": false }, - "NetworkMessageId": { + "PolicyAction": { "type": "string", "is_array": false }, - "messageid": { + "PolicyMatchInfo": { "type": "string", "is_array": false }, - "internetmessageid": { + "Reason": { "type": "string", "is_array": false }, - "FileType": { + "Recipients": { "type": "string", "is_array": false }, - "sha256": { - "type": "string", + "RecordType": { + "type": "int", "is_array": false }, - "Reason": { + "ReleaseTo": { "type": "string", "is_array": false }, @@ -224,47 +232,47 @@ "type": "string", "is_array": false }, - "actions": { - "type": "string", + "Scope": { + "type": "int", "is_array": false }, - "Status": { + "SenderIp": { "type": "string", "is_array": false }, - "Name": { + "Severity": { "type": "string", "is_array": false }, - "entityname": { + "Sha256": { "type": "string", "is_array": false }, - "DeviceName": { + "Source": { "type": "string", "is_array": false }, - "Severity": { + "SourceApp": { "type": "string", "is_array": false }, - "investigationname": { - "type": "string", + "SourceWorkload": { + "type": "int", "is_array": false }, - "SourceApp": { + "Status": { "type": "string", "is_array": false }, - "itemname": { + "Subject": { "type": "string", "is_array": false }, - "subject": { + "TargetUserId": { "type": "string", "is_array": false }, - "targetyammeruserid": { + "TargetYammerUserId": { "type": "string", "is_array": false }, @@ -272,69 +280,61 @@ "type": "string", "is_array": false }, - "url": { + "Url": { "type": "string", "is_array": false }, - "eventdeeplink": { + "UserAgent": { "type": "string", "is_array": false }, - "deeplinkurl": { + "UserId": { "type": "string", "is_array": false }, - "Application": { + "UserIp": { "type": "string", "is_array": false }, - "Source": { + "UserKey": { "type": "string", "is_array": false }, - "Workload": { + "UserName": { "type": "string", "is_array": false }, - "RecordType": { - "type": "int", + "UserRole": { + "type": "string", "is_array": false }, "UserType": { "type": "int", "is_array": false }, - "EnforcementMode": { - "type": "int", - "is_array": false - }, - "sourceworkload": { - "type": "int", - "is_array": false - }, - "Scope": { - "type": "int", + "Verdict": { + "type": "string", "is_array": false }, - "FileSize": { - "type": "int", + "Workload": { + "type": "string", "is_array": false - } + } }, "msft_o365_exchange_online_raw": { - "Id": { + "AffectedItems": { "type": "string", "is_array": false }, - "OrganizationId": { + "AppAccessContext": { "type": "string", "is_array": false }, - "AppAccessContext": { - "type": "string", + "AttachmentSizeInBytes": { + "type": "int", "is_array": false }, - "ClientIPAddress": { + "ClientApplication": { "type": "string", "is_array": false }, @@ -342,95 +342,95 @@ "type": "string", "is_array": false }, - "ObjectId": { + "ClientIPAddress": { "type": "string", "is_array": false }, - "ModifiedObjectResolvedName": { + "ClientMachineName": { "type": "string", "is_array": false }, - "Operation": { + "ClientProcessName": { "type": "string", "is_array": false }, - "AffectedItems": { + "ExchangeMetaData": { "type": "string", "is_array": false }, - "ModifiedProperties": { + "formid": { "type": "string", "is_array": false }, - "ClientMachineName": { + "Id": { "type": "string", "is_array": false }, - "OrganizationName": { - "type": "string", + "InternalLogonType": { + "type": "int", "is_array": false }, - "ResultStatus": { + "Item": { "type": "string", "is_array": false }, - "MailboxOwnerUPN": { - "type": "string", + "LogonType": { + "type": "int", "is_array": false }, - "UserId": { + "LogonUserDisplayName": { "type": "string", "is_array": false }, - "Item": { + "LogonUserSid": { "type": "string", "is_array": false }, - "ExchangeMetaData": { + "MailboxGuid": { "type": "string", "is_array": false }, - "MailboxGuid": { + "MailboxOwnerSid": { "type": "string", "is_array": false }, - "MailboxOwnerSid": { + "MailboxOwnerUPN": { "type": "string", "is_array": false }, - "LogonUserSid": { + "ModifiedObjectResolvedName": { "type": "string", "is_array": false }, - "UserKey": { + "ModifiedProperties": { "type": "string", "is_array": false }, - "LogonUserDisplayName": { + "ObjectId": { "type": "string", "is_array": false }, - "OriginatingServer": { + "Operation": { "type": "string", "is_array": false }, - "formid": { + "OperationProperties": { "type": "string", "is_array": false }, - "Workload": { + "OrganizationId": { "type": "string", "is_array": false }, - "ClientApplication": { + "OrganizationName": { "type": "string", "is_array": false }, - "PolicyDetails": { + "OriginatingServer": { "type": "string", "is_array": false }, - "ClientProcessName": { + "PolicyDetails": { "type": "string", "is_array": false }, @@ -438,279 +438,287 @@ "type": "string", "is_array": false }, - "OperationProperties": { - "type": "string", + "RecordType": { + "type": "int", "is_array": false }, - "sender": { + "ResultStatus": { "type": "string", "is_array": false - }, - "RecordType": { + }, + "Scope": { "type": "int", "is_array": false }, - "LogonType": { - "type": "int", + "Sender": { + "type": "string", "is_array": false }, - "InternalLogonType": { - "type": "int", + "UserId": { + "type": "string", "is_array": false }, - "UserType": { - "type": "int", + "UserKey": { + "type": "string", "is_array": false }, - "Scope": { + "UserType": { "type": "int", "is_array": false }, - "AttachmentSizeInBytes": { - "type": "int", + "Workload": { + "type": "string", "is_array": false - } + } }, "msft_o365_sharepoint_online_raw": { - "Id": { + "AppAccessContext": { "type": "string", "is_array": false }, - "OrganizationId": { + "ApplicationDisplayName": { "type": "string", "is_array": false }, - "AppAccessContext": { + "AuthenticationType": { "type": "string", "is_array": false }, - "ObjectId": { + "BrowserName": { "type": "string", "is_array": false }, - "SourceFileName": { + "ClientIP": { "type": "string", "is_array": false }, - "Platform": { + "DestinationFileExtension": { "type": "string", "is_array": false }, - "SharePointMetaData": { + "DestinationFileName": { "type": "string", "is_array": false }, - "DestinationFileName": { + "EventSource": { "type": "string", "is_array": false }, - "ClientIP": { + "ExceptionInfo": { "type": "string", "is_array": false }, - "Site": { + "Id": { "type": "string", "is_array": false }, - "SiteUrl": { + "ItemType": { "type": "string", "is_array": false }, - "Operation": { + "ModifiedProperties": { "type": "string", "is_array": false }, - "ItemType": { + "ObjectId": { "type": "string", "is_array": false }, - "BrowserName": { + "Operation": { "type": "string", "is_array": false }, - "EventSource": { + "OrganizationId": { "type": "string", "is_array": false }, - "UserId": { + "Platform": { "type": "string", "is_array": false }, - "Severity": { + "PolicyDetails": { "type": "string", "is_array": false }, - "UserAgent": { + "RecordType": { + "type": "int", + "is_array": false + }, + "ResultStatus": { "type": "string", "is_array": false }, - "UserKey": { + "Scope": { + "type": "int", + "is_array": false + }, + "Severity": { "type": "string", "is_array": false }, - "Source": { + "SharePointMetaData": { "type": "string", "is_array": false }, - "Workload": { + "Site": { "type": "string", "is_array": false }, - "AuthenticationType": { + "SiteUrl": { "type": "string", "is_array": false }, - "targetuserorgroupname": { + "Source": { "type": "string", "is_array": false }, - "ApplicationDisplayName": { + "SourceFileExtension": { "type": "string", "is_array": false }, - "ModifiedProperties": { + "SourceFileName": { "type": "string", "is_array": false }, - "ExceptionInfo": { + "TargetUserOrGroupName": { "type": "string", "is_array": false }, - "PolicyDetails": { + "UserAgent": { "type": "string", "is_array": false }, - "ResultStatus": { + "UserId": { "type": "string", "is_array": false }, - "RecordType": { - "type": "int", + "UserKey": { + "type": "string", "is_array": false }, "UserType": { "type": "int", "is_array": false }, - "Scope": { - "type": "int", + "Workload": { + "type": "string", "is_array": false - } + } }, "msft_o365_dlp_raw": { - "Id": { + "AppAccessContext": { "type": "string", "is_array": false }, - "OrganizationId": { + "EndpointMetaData": { "type": "string", "is_array": false }, - "AppAccessContext": { + "evaluationsource": { "type": "string", "is_array": false }, - "SharePointMetaData": { + "ExceptionInfo": { "type": "string", "is_array": false }, - "EndpointMetaData": { + "ExchangeMetaData": { "type": "string", "is_array": false }, - "ObjectId": { + "Id": { "type": "string", "is_array": false }, - "Operation": { + "ObjectId": { "type": "string", "is_array": false }, - "ResultStatus": { + "Operation": { "type": "string", "is_array": false }, - "ExceptionInfo": { + "OrganizationId": { "type": "string", "is_array": false }, - "ExchangeMetaData": { + "PolicyDetails": { "type": "string", "is_array": false }, - "evaluationsource": { - "type": "string", + "RecordType": { + "type": "int", "is_array": false }, - "Workload": { + "ResultStatus": { "type": "string", "is_array": false }, - "UserId": { - "type": "string", + "Scope": { + "type": "int", "is_array": false }, - "UserKey": { + "SharePointMetaData": { "type": "string", "is_array": false }, - "PolicyDetails": { + "UserId": { "type": "string", "is_array": false }, - "RecordType": { - "type": "int", + "UserKey": { + "type": "string", "is_array": false }, "UserType": { "type": "int", "is_array": false }, - "Scope": { - "type": "int", + "Workload": { + "type": "string", "is_array": false - } + } }, "msft_o365_emails_raw": { - "InternetMessageId": { + "Attachments": { "type": "string", "is_array": false }, - "sender": { + "bccRecipients": { "type": "string", "is_array": false }, - "From": { + "ccRecipients": { "type": "string", "is_array": false }, - "webLink": { + "From": { "type": "string", "is_array": false }, - "toRecipients": { + "importance": { "type": "string", "is_array": false }, - "ccRecipients": { + "internetMessageHeaders": { "type": "string", "is_array": false }, - "bccRecipients": { + "InternetMessageId": { "type": "string", "is_array": false }, - "attachments": { + "Sender": { "type": "string", "is_array": false }, - "internetMessageHeaders": { + "toRecipients": { "type": "string", "is_array": false }, - "importance": { + "webLink": { "type": "string", "is_array": false - } - } -} \ No newline at end of file + } + } +} \ No newline at end of file diff --git a/Packs/Office365/ReleaseNotes/1_0_10.md b/Packs/Office365/ReleaseNotes/1_0_10.md new file mode 100644 index 000000000000..8779c76784ad --- /dev/null +++ b/Packs/Office365/ReleaseNotes/1_0_10.md @@ -0,0 +1,16 @@ + +#### Modeling Rules + +##### Office 365 Modeling Rule + +- Improved implementation of the existing extractions and mappings. + - Added support for additional [record type](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype) values for the `xdm.event.type` mapping. + - Added support for extracting and mapping multiple client IP addresses. + - Added support for handling [*IPv4 mapped IPv6 addresses*](https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses) for client IP addresses. + - Added support for extracting and mapping the source port and interface identifier when they are present in the client IP address field value. + - Fixed an issue with the `xdm.target.file.filename` that caused the mapped filename value to be truncated. + - Removed the surrounding angle brackets from the `xdm.target.resource.name` mapped value, when such existed. + - Updated the `xdm.event.operation` mapping to the raw `Operation` field value if it does not match to any of the existing [XDM_CONST.OPERATION_TYPE](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-Data-Model-Schema-Guide/XDM_CONST.OPERATION_TYPE) ENUM values. + - Updated the `xdm.source.user.upn` mapping to the `UserId` field on first precedence. + - Updated the `xdm.observer.type` mapping to the `Workload` field on first precedence. + - Updated the mapping of the `xdm.email.subject` field on the `msft_o365_general_raw` dataset for the `Subject` field on first precedence with a fallback to the `ItemName` field only on [MIP](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#mip-label-schema) events. diff --git a/Packs/Office365/pack_metadata.json b/Packs/Office365/pack_metadata.json index 63cdaf0929f2..d39662f2c422 100644 --- a/Packs/Office365/pack_metadata.json +++ b/Packs/Office365/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Office 365", "description": "The product family of productivity and collaboration cloud based softwares owned by Microsoft.", "support": "xsoar", - "currentVersion": "1.0.9", + "currentVersion": "1.0.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",