Need to modify Office365Parser-v1.2 to pick up two new fields seeking guidance.

Question

Happy New Year,Couple questions  My goal is to create an alert based on the values in a particular value field, RequestTypethe possible values are :"oauth2:authorize" .   or   "login:login". if we find this last one we will create a rule to alert.My customer is sending logs for parsing by  Office365Parser-v1.2   they want to be alerted if the sample logs below Thank you,   Karl Henning  I have removed some stuff to anonymise   [OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"2df6c5b4-66e0-456f-8028-92a389afe2cd","Type":0},{"ID":"stuff ........ClientIP":"2607:fea8:9367:a200:e0d9:d500:edea:22ce","CreationTime":"2024-09-25T13:21:21UTC","DeviceProperties":[{"Name":"OS","Value":"Windows10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"SessionId","Value":"c774a6fd-4dfc-43c2-9ee5-2f56c2bc2c49"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"Login:login"}],"Id":"45754924-b5af-41c8-ba86-3c580da68400","InterSystemsId":"7c990d33-8f9a-438b-290a-f008f084bdcc","IntraSystemId":"45754924-b5af-41c8-ba86-3c580da68400","ModifiedProperties":[],"ObjectId":"00000002-0000-0ff1-ce00-000000000000","Operation":"UserLoggedIn","OrganizationId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","RecordType":15,"ResultStatus":"Success","ServerHostName":"manage.office.com","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","TenantId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","UserId":"","UserKey":"2df6c5b4-66e0-456f-8028-92a389afe2cd","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":2080} (edited)MFA Log[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"2636c7f5-e63a-4f39-a9de-5c8366c6b56d","Type":0},{"ID":stuff.com","Type":5}],"ActorContextId":"c24cf3ff-..........{"Name":"DisplayName","Value":"FXNZDZ3"},{"Name":"OS","Value":"Windows10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"1"},{"Name":"SessionId","Value":"715f5ac1-bf84-49a6-8598-086649ce649c"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"Id":"d8efaa45-dbd8-4450-af6a-cf4c971b6100","InterSystemsId":"cfea069a-3584-433f-93cb-2baea2969a6c","IntraSystemId":"d8efaa45-dbd8-4450-af6a-cf4c971b6100","ModifiedProperties":[],"ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","Operation":"UserLoggedIn","OrganizationId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","RecordType":15,"ResultStatus":"Success","ServerHostName":"manage.office.com","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","TenantId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","UserId":"","UserKey":"2636c7f5-e63a-4f39-a9de-5c8366c6b56d","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":2080} Wondering if @Rob_SIEM could give some insights.  I'll try and modify

prakadesh · Accepted Answer

Try this @KarlH <attrKeyMap attr="authType" key="ExtendedProperties.find(Name='RequestType', Value)"/>

prakadesh · Answer

Hi @KarlH,Once the attrKeyMap is added, it will move the outcome of RequestType into the loginType event attribute. Later, you can add a rule to monitor the loginType event attribute and generate an incident.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded