Need to modify Office365Parser-v1.2 to pick up two new fields seeking guidance.

KarlH · ‎01-15-2025

Happy New Year,

Couple questions

My goal is to create an alert based on the values in a particular value field, RequestType

the possible values are :"oauth2:authorize" . or "login:login". if we find this last one we will create a rule to alert.

My customer is sending logs for parsing by Office365Parser-v1.2 they want to be alerted if the

sample logs below

Thank you, Karl Henning

I have removed some stuff to anonymise

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"2df6c5b4-66e0-456f-8028-92a389afe2cd","Type":0},{"ID":"stuff ........ClientIP":"2607:fea8:9367:a200:e0d9:d500:edea:22ce","CreationTime":"2024-09-25T13:21:21UTC","DeviceProperties":[{"Name":"OS","Value":"Windows10"},{"Name":"BrowserType","Value":"Chrome"},{"Name":"SessionId","Value":"c774a6fd-4dfc-43c2-9ee5-2f56c2bc2c49"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"Login:login"}],"Id":"45754924-b5af-41c8-ba86-3c580da68400","InterSystemsId":"7c990d33-8f9a-438b-290a-f008f084bdcc","IntraSystemId":"45754924-b5af-41c8-ba86-3c580da68400","ModifiedProperties":[],"ObjectId":"00000002-0000-0ff1-ce00-000000000000","Operation":"UserLoggedIn","OrganizationId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","RecordType":15,"ResultStatus":"Success","ServerHostName":"manage.office.com","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","TenantId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","UserId":"","UserKey":"2df6c5b4-66e0-456f-8028-92a389afe2cd","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":2080} (edited)

MFA Log
[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"2636c7f5-e63a-4f39-a9de-5c8366c6b56d","Type":0},{"ID":stuff.com","Type":5}],"ActorContextId":"c24cf3ff-..........

{"Name":"DisplayName","Value":"FXNZDZ3"},{"Name":"OS","Value":"Windows10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"1"},{"Name":"SessionId","Value":"715f5ac1-bf84-49a6-8598-086649ce649c"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"Id":"d8efaa45-dbd8-4450-af6a-cf4c971b6100","InterSystemsId":"cfea069a-3584-433f-93cb-2baea2969a6c","IntraSystemId":"d8efaa45-dbd8-4450-af6a-cf4c971b6100","ModifiedProperties":[],"ObjectId":"5f09333a-842c-47da-a157-57da27fcbca5","Operation":"UserLoggedIn","OrganizationId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","RecordType":15,"ResultStatus":"Success","ServerHostName":"manage.office.com","SupportTicketId":"","Target":[{"ID":"5f09333a-842c-47da-a157-57da27fcbca5","Type":0}],"TargetContextId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","TenantId":"c24cf3ff-e1ea-4eee-95be-620e6e5e2136","UserId":"","UserKey":"2636c7f5-e63a-4f39-a9de-5c8366c6b56d","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":2080}

Wondering if @Rob_SIEM could give some insights. I'll try and modify

Karl Henning, Security Engineer, CISSP

prakadesh · ‎01-24-2025

Try this @KarlH

<attrKeyMap attr="authType" key="ExtendedProperties.find(Name='RequestType', Value)"/>

View solution in original post

KarlH · ‎01-17-2025

ok so I have added

<attrKeyMap attr="loginType" key="RequestType"/>

will that become a field I can search on in a query or create a rule for detecting if its login or oauth?

to the parser

Karl Henning, Security Engineer, CISSP

prakadesh · ‎01-18-2025

Hi @KarlH,

Once the attrKeyMap is added, it will move the outcome of RequestType into the loginType event attribute. Later, you can add a rule to monitor the loginType event attribute and generate an incident.

prakadesh · ‎01-18-2025

If you want to create a new event type for a specific log, such as MFA, you can use the following when condition:

<when test="$loginType IN 'OAuth2'">

Then, update the eventType using combineMsgId:

<setEventAttribute attr="eventType">combineMsgId("MS_OFFICE365_EntraID_XXX_", $status)</setEventAttribute>

Make sure to replace XXX with a relevant identifier and $status with an attribute that accurately reflects the status.

KarlH · ‎01-23-2025

I am not creating and event I am, parsing a field called RequestType creating then an Attribute as below

the code is a you see below

Validation passed

Testing passed but the bottom pane does not show

raw log shows

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"56f44601-b33a-4a56-af33-ccbc1b3837f8","Type":0},{"ID":"","Type":5}],"ActorContextId":"c64cd4eb-6057-4927-8193-c39a7ac16d65","ActorIpAddress":"185.248.249.3","ApplicationId":"c53e103c-92e8-4c96-8a05-e0ada06f7c7e","AzureActiveDirectoryEventType":1,"ClientIP":"185.248.249.3","CreationTime":"2023-01-19T16:05:49UTC","DeviceProperties":[{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Firefox"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"3a85fdc5-2fb4-4f04-a148-7d36a515d7cc"}],"ErrorNumber":"500121","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0"},{"Name":"RequestType","Value":"SAS:EndAuth"}],"Id":"60bf18e1-4db2-4c6a-b1b3-5672ab1f4d01","InterSystemsId":"9bd69e75-9f94-4686-a505-52f54326538e","IntraSystemId":"60bf18e1-4db2-4c6a-b1b3-5672ab1f4d01","LogonError":"AuthenticationFailedSasError","ModifiedProperties":[],"ObjectId":"00000002-0000-0000-c000-000000000000","Operation":"UserLoginFailed","OrganizationId":"c64cd4eb-6057-4927-8193-c39a7ac16d65","RecordType":15,"ResultStatus":"Success","ServerHostName":"manage.office.com","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"c64cd4eb-6057-4927-8193-

c39a7ac16d65","TenantId":"c64cd4eb-6057-4927-8193-c39a7ac16d65","UserId":"","UserKey":"56f44601-b33a-4a56-af33-ccbc1b3837f8","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":2039}

in the log aboue you can see {"Name":"RequestType","Value":"SAS:EndAuth"}

but the Filed I call it in the display using the Attribute event name Authorizatin Type does not show up in thee bottom pane of the test results..

Karl Henning, Security Engineer, CISSP

prakadesh · ‎01-24-2025

Try this @KarlH

<attrKeyMap attr="authType" key="ExtendedProperties.find(Name='RequestType', Value)"/>

KarlH · ‎01-24-2025

It worked!!

Karl Henning, Security Engineer, CISSP

Rob_SIEM · ‎01-28-2025

Hi Karl and Team,

Just as a heads up, we already have a nice field name to map for this called "requestType (display name: Request Type)". In the corrected system parser we will use this attribute if you would like to update yours to match.

Thanks,

FSM_FTNT · ‎01-28-2025

I've created a separate enhancement to officially support these fields.

Appreciated greatly for the post and sorting this.

Need to modify Office365Parser-v1.2 to pick up two new fields seeking guidance.

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website