diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 1e29850e897..07f25fe8eb2 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,20 @@ # newer versions go on top +- version: "2.33.0" + changes: + - description: >- + Fix flattening errors in `Action` List items due to duplicate `QueryTime` fields by removing duplicate field. + type: enhancement + link: https://github.com/elastic/integrations/pull/15699 + - description: >- + Fixes undefined errors by adding fields `ActorInfoString`, `OperationCount`, `TokenObjectId`, `TokenTenantId` + type: bugfix + link: https://github.com/elastic/integrations/pull/15699 + - description: >- + Fixes errors due to SizeInBytes fields in `Messages` and `Folders` structures previously imported as long + and then being sent as floats. Moves the fields to explicitly defined fields `ExchangeAggregatedMessages` and + `ExchangeAggregatedFolders`and explicitly converts SizeInBytes to long for record type 50: `ExchangeItemAggregated`. + type: bugfix + link: https://github.com/elastic/integrations/pull/15699 - version: "2.32.0" changes: - description: Add device.id and user_agent fields from ExtendedProperties.additionalDetails. @@ -8,7 +24,7 @@ changes: - description: Improve documentation. type: enhancement - link: https://github.com/elastic/integrations/pull/15660 + link: https://github.com/elastic/integrations/pull/1 - version: "2.30.0" changes: - description: >- diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json new file mode 100644 index 00000000000..93bf900dbf8 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json @@ -0,0 +1,222 @@ +{ + "events": [ + { + "o365audit": { + "LogonUserSid": "S-1-5-21-1234567890-123456789-1234567890-12345678", + "AppAccessContext": { + "APIId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "ClientAppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "IssuedAtTime": "2025-09-29T01:01:01", + "UniqueTokenId": "12345678-1234-1234-abcd-abcdef123456" + }, + "AppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "ActorInfoString": "Client=REST;Client=RESTSystem;UserAgent=[NoUserAgent][AppId=abcdabcd-1234-12ab-1a2b-ad1234567890];", + "MailboxOwnerUPN": "user@example.com", + "MailboxOwnerSid": "S-1-5-21-1234567890-123456789-1234567890-12345678", + "LogonType": 0, + "ClientInfoString": "Client=REST;Client=RESTSystem;;", + "ResultStatus": "Succeeded", + "OrganizationName": "example.onmicrosoft.com", + "ExternalAccess": false, + "OperationProperties": [ + { + "Name": "AttachmentAccessType", + "Value": "Bind" + } + ], + "InternalLogonType": 0, + "MailboxGuid": "8b46a639-c47f-4634-b90c-2accecd337e3", + "UserKey": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "TokenTenantId": "dcbadcba-1234-12ab-1a2b-ad1234567890", + "UserId": "user@example.com", + "UserType": 5, + "CreationTime": "2025-09-29T01:01:01", + "Version": 1, + "RecordType": 50, + "ClientIPAddress": "203.0.113.5", + "Operation": "AttachmentAccess", + "OrganizationId": "1234abcd-4321-dcba-43ab-1023456789ab", + "ClientAppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "OriginatingServer": "imase12AA1234 (203.0.113.3)", + "Messages": [ + { + "Path": "Messages", + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDD", + "MessageItems": [ + { + "SizeInBytes": 2379, + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE12345678901234567890123" + }, + { + "SizeInBytes": 7356, + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE000000011111122222222222" + } + ] + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFF", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFFEEEEEEaaaaaaaaaaaaaaaaaaaaaaa", + "SizeInBytes": 1156492.00 + } + ], + "Path": "Messages" + }, + { + "Path": "Messages", + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAA", + "MessageItems": [ + { + "SizeInBytes": 87052, + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAAEEEEEEAALE" + } + ] + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAA", + "MessageItems": [ + { + "SizeInBytes": 267212, + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAAEEEEEEAB_WWWWWWWWWWWWWWW-1234" + } + ], + "Path": "Messages" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ123456", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ1234AAEEEEEEADGGGGGGGGGGGGGGGGGGGGGG", + "SizeInBytes": 20477 + } + ], + "Path": "Messages" + } + ], + "Id": "88888888-4444-5555-6666-123456789012", + "Workload": "Exchange", + "OperationCount": 6 + } + }, + { + "o365audit": { + "StartTimeUtc": "2025-09-29T23:59:59", + "Actions": [ + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:1234567890abcdef1234567890abcdef\",\"InvestigationId\":\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Skipped\",\"Entities\":[{\"$id\":\"2\",\"Recipient\":\"user@example.com\",\"Urls\":[\"https://exxample.com/fffffffff\",\"https://example.com/\",\"https://www.example.com/\",\"https://domain.com\",\"https://domain.com\",\"https://emailsg.example.com/wf/open?upn=1234\",\"https://apps.apple.com/us/app/example-com/id12343123444\",\"https://play.google.com/store/apps/details?id=com.example.example\",\"https://dl.example.com/boards/6667868113/groups/topics?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=98776666&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0\",\"https://dl.example.com/users/-4-automations?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=12345678&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0\"],\"Threats\":[\"ZapPhish\",\"HighConfPhish\"],\"Sender\":\"sales@example.com\",\"P1Sender\":\"1234565@example.com\",\"P1SenderDomain\":\"example.com\",\"SenderIP\":\"203.0.113.55\",\"P2Sender\":\"sales@example.com\",\"P2SenderDisplayName\":\"Postal_ProtocolAdminChecklnReportDocSubmissionRequestapEx12341234Serverange-reply\",\"P2SenderDomain\":\"example.com\",\"ReceivedDate\":\"2025-09-15T22:20:37\",\"NetworkMessageId\":\"33333333-eeee-4444-5555-999999999999\",\"InternetMessageId\":\"<1234@email.example.com>\",\"Subject\":\"Admin-Protocol-Tasks-Update on 9/15/2025\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"Language\":\"en\",\"DeliveryLocation\":\"Quarantine\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"Pass\"},{\"Name\":\"DMARC\",\"Value\":\"Pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb\",\"Source\":\"OATP\",\"FirstSeen\":\"2025-09-15T22:51:56\"}],\"RelatedAlertIds\":[\"33333333-2222-1111-7777-123456789012\"],\"StartTimeUtc\":\"2025-09-15T23:02:00\",\"EndTimeUtc\":\"2025-09-15T23:04:18Z\",\"LastUpdateTimeUtc\":\"2025-09-17T12:22:43.2513154Z\",\"TimestampUtc\":\"2025-09-15T23:04:18\",\"BulkName\":\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"999999999-2222-1111-7777-123456789012\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"Type\":\"InvestigationAction\",\"LogCreationTime\":\"2025-09-17T12:22:43.2513154Z\",\"MachineName\":\"AB12AB12AB123\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}", + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:4321567890abcdef1234567890abcdef\",\"InvestigationId\":\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Skipped\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"88888888-eeee-4444-5555-999999999999\",\"33333333-eeee-4444-5555-999999999999\"],\"CountByThreatType\":{\"HighConfPhish\":1,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Delivered\":1,\"Blocked\":1},\"CountByDeliveryLocation\":{\"Quarantine\":2},\"Query\":\"( (( (BodyFingerprintBin1:\\\"99999999999\\\") ) AND ( (SenderIp:\\\"203.0.113.55\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2025-09-15T23:05:00Z\",\"MailCount\":2,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"33333333-eeee-4444-5555-999999999999\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2025-08-26T00:00:00Z\",\"ClusterQueryEndTime\":\"2025-09-15T23:05:00Z\",\"ClusterGroup\":\"BodyFingerprintBin1,SenderIp\",\"Type\":\"mailCluster\",\"ClusterBy\":\"BodyFingerprintBin1;SenderIp;ContentType\",\"ClusterByValue\":\"99999999999;203.0.113.5;1\",\"QueryStartTime\":\"8/26/2025 12:00:00 AM\",\"QueryTime\":\"9/15/2025 11:05:00 PM\",\"Urn\":\"urn:MailClusterEntity:98765432109876543210987654321098\",\"Source\":\"OATP\",\"FirstSeen\":\"2025-09-15T23:00:09\"}],\"RelatedAlertIds\":[\"33333333-2222-1111-7777-123456789012\"],\"StartTimeUtc\":\"2025-09-15T23:02:00\",\"EndTimeUtc\":\"2025-09-17T10:37:16\",\"LastUpdateTimeUtc\":\"2025-09-17T12:22:43.2525624Z\",\"TimestampUtc\":\"2025-09-17T10:37:16\",\"BulkName\":\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"999999999-2222-1111-7777-123456789012\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"Type\":\"InvestigationAction\",\"LogCreationTime\":\"2025-09-17T12:22:43.2525624Z\",\"MachineName\":\"AB12AB12AB123\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}", + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:6666567890abcdef1234567890abcdef\",\"InvestigationId\":\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Skipped\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"88888888-eeee-4444-5555-999999999999\",\"33333333-eeee-4444-5555-999999999999\",\"44444444-eeee-4444-5555-999999999999\"],\"CountByThreatType\":{\"HighConfPhish\":2,\"Phish\":0,\"Malware\":0,\"Spam\":0},\"CountByProtectionStatus\":{\"Blocked\":2,\"Delivered\":1},\"CountByDeliveryLocation\":{\"Quarantine\":3},\"Query\":\"( (( (BodyFingerprintBin1:\\\"99999999999\\\") ) AND ( (P2SenderDomain:\\\"example.com\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2025-09-15T23:05:00Z\",\"MailCount\":3,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"33333333-eeee-4444-5555-999999999999\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2025-08-26T00:00:00Z\",\"ClusterQueryEndTime\":\"2025-09-15T23:05:00Z\",\"ClusterGroup\":\"BodyFingerprintBin1,P2SenderDomain\",\"Type\":\"mailCluster\",\"ClusterBy\":\"BodyFingerprintBin1;P2SenderDomain;ContentType\",\"ClusterByValue\":\"99999999999;example.com;1\",\"QueryStartTime\":\"8/26/2025 12:00:00 AM\",\"QueryTime\":\"9/15/2025 11:05:00 PM\",\"Urn\":\"urn:MailClusterEntity:cccccccccccccccccccccccccccccccc\",\"Source\":\"OATP\",\"FirstSeen\":\"2025-09-15T23:00:09\"}],\"RelatedAlertIds\":[\"33333333-2222-1111-7777-123456789012\"],\"StartTimeUtc\":\"2025-09-15T23:02:00\",\"EndTimeUtc\":\"2025-09-17T10:37:16\",\"LastUpdateTimeUtc\":\"2025-09-17T12:22:43.2676112Z\",\"TimestampUtc\":\"2025-09-17T10:37:16\",\"BulkName\":\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"999999999-2222-1111-7777-123456789012\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"Type\":\"InvestigationAction\",\"LogCreationTime\":\"2025-09-17T12:22:43.2676112Z\",\"MachineName\":\"AB12AB12AB123\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}" + ], + "InvestigationName": "Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "Operation": "AirInvestigationData", + "InvestigationType": "ZappedEmailInvestigation", + "UserId": "AirInvestigation", + "UserKey": "AirInvestigation", + "DeepLinkUrl": "https://security.microsoft.com/abc-investigation/urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890", + "Version": 1, + "InvestigationId": "urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "EndTimeUtc": "2025-09-29T23:59:59", + "LastUpdateTimeUtc": "2025-09-29T23:59:59", + "Id": "44445555-2222-4444-8888-123456789012", + "Status": "Remediated", + "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"StartTimeUtc\":\"2025-09-29T23:59:59Z\",\"EndTimeUtc\":\"2025-09-29T23:59:59Z\",\"TimeGenerated\":\"2025-09-29T23:59:59.00Z\",\"ProcessingEndTime\":\"2025-09-29T23:59:59.0000000Z\",\"Status\":\"InProgress\",\"Severity\":\"Low\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1,\"IsIncident\":false,\"ProviderAlertId\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"SystemAlertId\":null,\"CorrelationKey\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890\",\"InvestigationStatus\":\"Running\"}],\"InvestigationIds\":[\"urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email reported by user as malware or phish\",\"Description\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/viewalerts?id=dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"Recipient\":\"user@example.com\",\"Urls\":[\"hxxp://test.local\",\"hxxp://test.local\",\"hxxp://test.local\"],\"Threats\":[\"HighConfPhish\"],\"Sender\":\"bounce@example.com\",\"P1Sender\":\"<>\",\"P1SenderDomain\":\"\",\"SenderIP\":\"81.2.69.144\",\"P2Sender\":\"bounce@example.com\",\"P2SenderDisplayName\":\"name\",\"P2SenderDomain\":\"example.com\",\"ReceivedDate\":\"2025-09-29T23:59:59\",\"NetworkMessageId\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"InternetMessageId\":\"\",\"Subject\":\"subject\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"ThreatDetectionMethods\":[\"MLModel\"],\"Language\":\"nb\",\"DeliveryLocation\":\"Inbox\",\"OriginalDeliveryLocation\":\"Inbox\",\"PhishConfidenceLevel\":\"High\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\"],\"Connector\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb: [Inbound from dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb]\",\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Fail\"},{\"Name\":\"Comp Auth\",\"Value\":\"fail\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"Source\":\"OATP\",\"FirstSeen\":\"2025-09-29T23:59:59\"},{\"$id\":\"4\",\"MailboxPrimaryAddress\":\"user@example.com\",\"Upn\":\"account@example.com\",\"AadId\":\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:abcdef1234567890abcdef1234567890\",\"Source\":\"OATP\",\"FirstSeen\":\"2025-09-29T23:59:59\"}],\"LogCreationTime\":\"2025-09-29T23:59:59.0000000Z\",\"MachineName\":\"ABCDEFGHIJK\",\"SourceTemplateType\":\"Activity_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", + "CreationTime": "2025-09-29T03:11:01", + "RecordType": 64, + "RunningTime": 135051, + "OrganizationId": "999999999-2222-1111-7777-123456789012", + "ObjectId": "44445555-2222-4444-8888-123456789012", + "UserType": 4, + "Workload": "AirInvestigation" + } + }, + { + "o365audit": { + "LogonType": 0, + "ClientInfoString": "Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];", + "UserId": "user@example.com", + "Id": "aaaaaaaa-bbbb-cccc-dddd-123456789012", + "UserType": 0, + "ClientIPAddress": "203.0.113.145", + "AppId": "7777777-6666-aaaa-bbbb-123456789012", + "InternalLogonType": 0, + "OriginatingServer": "AB8MB22NO1234 (203.0.113.8)", + "CreationTime": "2025-09-26T22:32:29", + "OrganizationId": "33333333-bbbb-cccc-dddd-123456789012", + "Folders": [ + { + "Path": "\\Sent Items", + "FolderItems": [ + { + "SizeInBytes": 14593, + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEpAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3wRAAAJ", + "InternetMessageId": "" + }, + { + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3gYAAAJ", + "InternetMessageId": "", + "SizeInBytes": 8526, + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEoAAAJ" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEnAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAxaAAAJ", + "InternetMessageId": "", + "SizeInBytes": 99635 + }, + { + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgkAAAJ", + "InternetMessageId": "", + "SizeInBytes": 6475, + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEmAAAJ" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEElAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgQAAAJ", + "InternetMessageId": "", + "SizeInBytes": 326463 + }, + { + "SizeInBytes": 1352491.00, + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEkAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgOv+cAAAJ", + "InternetMessageId": "" + } + ], + "Id": "LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLCCCCCCCCCCCCCCCCCCCCCCCC" + } + ], + "UserKey": "9876543210987656", + "RecordType": 50, + "AppAccessContext": { + "IssuedAtTime": "2025-09-26T22:27:27", + "UniqueTokenId": "ZZZZZZZZZZKKKKKKKKKKAA", + "AADSessionId": "dddddddd-aaaa-eeee-dddd-123456789012", + "APIId": "bbbbbbbb-aaaa-eeee-bbbb-123456789012", + "ClientAppId": "7777777-6666-aaaa-bbbb-123456789012" + }, + "MailboxGuid": "eeeeeeee-aaaa-1234-bbbb-123456789012", + "TokenTenantId": "33333333-bbbb-cccc-dddd-123456789012", + "Version": 1, + "ClientAppId": "7777777-6666-aaaa-bbbb-123456789012", + "TokenObjectId": "ffffffff-aaaa-1234-bbbb-123456789012", + "OperationCount": 6, + "ActorInfoString": "Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];", + "OrganizationName": "example.onmicrosoft.com", + "LogonUserSid": "S-1-5-21-1234567890-1234567890-123456789012-88888888", + "Operation": "MailItemsAccessed", + "MailboxOwnerUPN": "user@example.com", + "Workload": "Exchange", + "OperationProperties": [ + { + "Name": "MailAccessType", + "Value": "Bind" + } + ], + "ExternalAccess": false, + "ResultStatus": "Succeeded", + "MailboxOwnerSid": "S-1-5-21-1234567890-1234567890-123456789012-88888888" + } + } + ] +} diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json-expected.json new file mode 100644 index 00000000000..23cad758533 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-exchange-access-event.json-expected.json @@ -0,0 +1,787 @@ +{ + "expected": [ + { + "@timestamp": "2025-09-29T01:01:01.000Z", + "client": { + "address": "203.0.113.5", + "ip": "203.0.113.5" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "AttachmentAccess", + "category": [ + "web", + "email" + ], + "code": "ExchangeItemAggregated", + "id": "88888888-4444-5555-6666-123456789012", + "kind": "event", + "original": "{\"OrganizationName\":\"example.onmicrosoft.com\",\"ActorInfoString\":\"Client=REST;Client=RESTSystem;UserAgent=[NoUserAgent][AppId=abcdabcd-1234-12ab-1a2b-ad1234567890];\",\"UserKey\":\"abcdabcd-1234-12ab-1a2b-ad1234567890\",\"MailboxGuid\":\"8b46a639-c47f-4634-b90c-2accecd337e3\",\"Operation\":\"AttachmentAccess\",\"OrganizationId\":\"1234abcd-4321-dcba-43ab-1023456789ab\",\"ClientIPAddress\":\"203.0.113.5\",\"LogonUserSid\":\"S-1-5-21-1234567890-123456789-1234567890-12345678\",\"OriginatingServer\":\"imase12AA1234 (203.0.113.3)\",\"RecordType\":50,\"Version\":1,\"ClientInfoString\":\"Client=REST;Client=RESTSystem;;\",\"ClientAppId\":\"abcdabcd-1234-12ab-1a2b-ad1234567890\",\"MailboxOwnerUPN\":\"user@example.com\",\"OperationCount\":6,\"MailboxOwnerSid\":\"S-1-5-21-1234567890-123456789-1234567890-12345678\",\"Messages\":[{\"Path\":\"Messages\",\"MessageItems\":[{\"SizeInBytes\":2379,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE12345678901234567890123\"},{\"SizeInBytes\":7356,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE000000011111122222222222\"}],\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDD\"},{\"Path\":\"Messages\",\"MessageItems\":[{\"SizeInBytes\":1156492.0,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFFEEEEEEaaaaaaaaaaaaaaaaaaaaaaa\"}],\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFF\"},{\"Path\":\"Messages\",\"MessageItems\":[{\"SizeInBytes\":87052,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAAEEEEEEAALE\"}],\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAA\"},{\"Path\":\"Messages\",\"MessageItems\":[{\"SizeInBytes\":267212,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAAEEEEEEAB_WWWWWWWWWWWWWWW-1234\"}],\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAA\"},{\"Path\":\"Messages\",\"MessageItems\":[{\"SizeInBytes\":20477,\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ1234AAEEEEEEADGGGGGGGGGGGGGGGGGGGGGG\"}],\"Id\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ123456\"}],\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":false,\"LogonType\":0,\"TokenTenantId\":\"dcbadcba-1234-12ab-1a2b-ad1234567890\",\"AppAccessContext\":{\"ClientAppId\":\"abcdabcd-1234-12ab-1a2b-ad1234567890\",\"UniqueTokenId\":\"12345678-1234-1234-abcd-abcdef123456\",\"APIId\":\"abcdabcd-1234-12ab-1a2b-ad1234567890\",\"IssuedAtTime\":\"2025-09-29T01:01:01\"},\"Workload\":\"Exchange\",\"InternalLogonType\":0,\"OperationProperties\":[{\"Value\":\"Bind\",\"Name\":\"AttachmentAccessType\"}],\"AppId\":\"abcdabcd-1234-12ab-1a2b-ad1234567890\",\"UserId\":\"user@example.com\",\"CreationTime\":\"2025-09-29T01:01:01\",\"Id\":\"88888888-4444-5555-6666-123456789012\",\"UserType\":5}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info", + "access" + ] + }, + "host": { + "id": "1234abcd-4321-dcba-43ab-1023456789ab", + "name": "example.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "ActorInfoString": "Client=REST;Client=RESTSystem;UserAgent=[NoUserAgent][AppId=abcdabcd-1234-12ab-1a2b-ad1234567890];", + "AppAccessContext": { + "APIId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "ClientAppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "IssuedAtTime": "2025-09-29T01:01:01", + "UniqueTokenId": "12345678-1234-1234-abcd-abcdef123456" + }, + "AppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "ClientAppId": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "ClientInfoString": "Client=REST;Client=RESTSystem;;", + "CreationTime": "2025-09-29T01:01:01", + "ExchangeAggregatedMessages": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDD", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE12345678901234567890123", + "SizeInBytes": 2379 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDDDDDDEEEEEE000000011111122222222222", + "SizeInBytes": 7356 + } + ], + "Path": "Messages" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFF", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDlFFFFEEEEEEaaaaaaaaaaaaaaaaaaaaaaa", + "SizeInBytes": 1156492 + } + ], + "Path": "Messages" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAA", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCDDDDDDDDDvnQAAEEEEEEAALE", + "SizeInBytes": 87052 + } + ], + "Path": "Messages" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAA", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJk_eAAAEEEEEEAB_WWWWWWWWWWWWWWW-1234", + "SizeInBytes": 267212 + } + ], + "Path": "Messages" + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ123456", + "MessageItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-BBBBBBBBBBBB_CCCCCCCCCCJJJJJJJJ1234AAEEEEEEADGGGGGGGGGGGGGGGGGGGGGG", + "SizeInBytes": 20477 + } + ], + "Path": "Messages" + } + ], + "ExternalAccess": false, + "InternalLogonType": "0", + "LogonType": "0", + "LogonUserSid": "S-1-5-21-1234567890-123456789-1234567890-12345678", + "MailboxGuid": "8b46a639-c47f-4634-b90c-2accecd337e3", + "MailboxOwnerSid": "S-1-5-21-1234567890-123456789-1234567890-12345678", + "MailboxOwnerUPN": "user@example.com", + "OperationCount": "6", + "OperationProperties": [ + { + "Name": "AttachmentAccessType", + "Value": "Bind" + } + ], + "OrganizationName": "example.onmicrosoft.com", + "OriginatingServer": "imase12AA1234 (203.0.113.3)", + "RecordType": "50", + "ResultStatus": "Succeeded", + "TokenTenantId": "dcbadcba-1234-12ab-1a2b-ad1234567890", + "UserId": "user@example.com", + "UserKey": "abcdabcd-1234-12ab-1a2b-ad1234567890", + "UserType": "5", + "Version": "1" + } + }, + "organization": { + "id": "1234abcd-4321-dcba-43ab-1023456789ab" + }, + "related": { + "ip": [ + "203.0.113.5" + ], + "user": [ + "user" + ] + }, + "source": { + "as": { + "number": 64502, + "organization": { + "name": "Documentation ASN" + } + }, + "geo": { + "city_name": "Madrid", + "continent_name": "Europe", + "country_iso_code": "ES", + "country_name": "Spain", + "location": { + "lat": 40.41639, + "lon": -3.7025 + }, + "region_iso_code": "ES-M", + "region_name": "Madrid" + }, + "ip": "203.0.113.5" + }, + "tags": [ + "preserve_original_event" + ], + "token": { + "id": "12345678-1234-1234-abcd-abcdef123456" + }, + "user": { + "domain": "example.com", + "email": "user@example.com", + "id": "user@example.com", + "name": "user" + } + }, + { + "@timestamp": "2025-09-29T03:11:01.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "bounce@example.com" + ] + }, + "local_id": [ + "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb" + ], + "message_id": [ + "" + ], + "sender": { + "address": [ + "<>" + ] + }, + "subject": [ + "subject" + ], + "to": { + "address": [ + "user@example.com" + ] + } + }, + "event": { + "action": "AirInvestigationData", + "category": [ + "web" + ], + "code": "AirInvestigation", + "id": "44445555-2222-4444-8888-123456789012", + "kind": "event", + "original": "{\"Status\":\"Remediated\",\"StartTimeUtc\":\"2025-09-29T23:59:59\",\"Actions\":[\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:1234567890abcdef1234567890abcdef\\\",\\\"InvestigationId\\\":\\\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Skipped\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"Recipient\\\":\\\"user@example.com\\\",\\\"Urls\\\":[\\\"https://exxample.com/fffffffff\\\",\\\"https://example.com/\\\",\\\"https://www.example.com/\\\",\\\"https://domain.com\\\",\\\"https://domain.com\\\",\\\"https://emailsg.example.com/wf/open?upn=1234\\\",\\\"https://apps.apple.com/us/app/example-com/id12343123444\\\",\\\"https://play.google.com/store/apps/details?id=com.example.example\\\",\\\"https://dl.example.com/boards/6667868113/groups/topics?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=98776666&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0\\\",\\\"https://dl.example.com/users/-4-automations?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=12345678&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"sales@example.com\\\",\\\"P1Sender\\\":\\\"1234565@example.com\\\",\\\"P1SenderDomain\\\":\\\"example.com\\\",\\\"SenderIP\\\":\\\"203.0.113.55\\\",\\\"P2Sender\\\":\\\"sales@example.com\\\",\\\"P2SenderDisplayName\\\":\\\"Postal_ProtocolAdminChecklnReportDocSubmissionRequestapEx12341234Serverange-reply\\\",\\\"P2SenderDomain\\\":\\\"example.com\\\",\\\"ReceivedDate\\\":\\\"2025-09-15T22:20:37\\\",\\\"NetworkMessageId\\\":\\\"33333333-eeee-4444-5555-999999999999\\\",\\\"InternetMessageId\\\":\\\"<1234@email.example.com>\\\",\\\"Subject\\\":\\\"Admin-Protocol-Tasks-Update on 9/15/2025\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Delivered\\\",\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2025-09-15T22:51:56\\\"}],\\\"RelatedAlertIds\\\":[\\\"33333333-2222-1111-7777-123456789012\\\"],\\\"StartTimeUtc\\\":\\\"2025-09-15T23:02:00\\\",\\\"EndTimeUtc\\\":\\\"2025-09-15T23:04:18Z\\\",\\\"LastUpdateTimeUtc\\\":\\\"2025-09-17T12:22:43.2513154Z\\\",\\\"TimestampUtc\\\":\\\"2025-09-15T23:04:18\\\",\\\"BulkName\\\":\\\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"999999999-2222-1111-7777-123456789012\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"Type\\\":\\\"InvestigationAction\\\",\\\"LogCreationTime\\\":\\\"2025-09-17T12:22:43.2513154Z\\\",\\\"MachineName\\\":\\\"AB12AB12AB123\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:4321567890abcdef1234567890abcdef\\\",\\\"InvestigationId\\\":\\\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Skipped\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"88888888-eeee-4444-5555-999999999999\\\",\\\"33333333-eeee-4444-5555-999999999999\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Delivered\\\":1,\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":2},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"99999999999\\\\\\\") ) AND ( (SenderIp:\\\\\\\"203.0.113.55\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2025-09-15T23:05:00Z\\\",\\\"MailCount\\\":2,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"33333333-eeee-4444-5555-999999999999\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2025-08-26T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2025-09-15T23:05:00Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"99999999999;203.0.113.5;1\\\",\\\"QueryStartTime\\\":\\\"8/26/2025 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/15/2025 11:05:00 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:98765432109876543210987654321098\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2025-09-15T23:00:09\\\"}],\\\"RelatedAlertIds\\\":[\\\"33333333-2222-1111-7777-123456789012\\\"],\\\"StartTimeUtc\\\":\\\"2025-09-15T23:02:00\\\",\\\"EndTimeUtc\\\":\\\"2025-09-17T10:37:16\\\",\\\"LastUpdateTimeUtc\\\":\\\"2025-09-17T12:22:43.2525624Z\\\",\\\"TimestampUtc\\\":\\\"2025-09-17T10:37:16\\\",\\\"BulkName\\\":\\\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"999999999-2222-1111-7777-123456789012\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"Type\\\":\\\"InvestigationAction\\\",\\\"LogCreationTime\\\":\\\"2025-09-17T12:22:43.2525624Z\\\",\\\"MachineName\\\":\\\"AB12AB12AB123\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:6666567890abcdef1234567890abcdef\\\",\\\"InvestigationId\\\":\\\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Skipped\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"88888888-eeee-4444-5555-999999999999\\\",\\\"33333333-eeee-4444-5555-999999999999\\\",\\\"44444444-eeee-4444-5555-999999999999\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":2,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":2,\\\"Delivered\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":3},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"99999999999\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"example.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2025-09-15T23:05:00Z\\\",\\\"MailCount\\\":3,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"33333333-eeee-4444-5555-999999999999\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2025-08-26T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2025-09-15T23:05:00Z\\\",\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"99999999999;example.com;1\\\",\\\"QueryStartTime\\\":\\\"8/26/2025 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/15/2025 11:05:00 PM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cccccccccccccccccccccccccccccccc\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2025-09-15T23:00:09\\\"}],\\\"RelatedAlertIds\\\":[\\\"33333333-2222-1111-7777-123456789012\\\"],\\\"StartTimeUtc\\\":\\\"2025-09-15T23:02:00\\\",\\\"EndTimeUtc\\\":\\\"2025-09-17T10:37:16\\\",\\\"LastUpdateTimeUtc\\\":\\\"2025-09-17T12:22:43.2676112Z\\\",\\\"TimestampUtc\\\":\\\"2025-09-17T10:37:16\\\",\\\"BulkName\\\":\\\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"999999999-2222-1111-7777-123456789012\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"Type\\\":\\\"InvestigationAction\\\",\\\"LogCreationTime\\\":\\\"2025-09-17T12:22:43.2676112Z\\\",\\\"MachineName\\\":\\\"AB12AB12AB123\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"ObjectId\":\"44445555-2222-4444-8888-123456789012\",\"InvestigationType\":\"ZappedEmailInvestigation\",\"UserKey\":\"AirInvestigation\",\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"StartTimeUtc\\\":\\\"2025-09-29T23:59:59Z\\\",\\\"EndTimeUtc\\\":\\\"2025-09-29T23:59:59Z\\\",\\\"TimeGenerated\\\":\\\"2025-09-29T23:59:59.00Z\\\",\\\"ProcessingEndTime\\\":\\\"2025-09-29T23:59:59.0000000Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"Severity\\\":\\\"Low\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890\\\",\\\"InvestigationStatus\\\":\\\"Running\\\"}],\\\"InvestigationIds\\\":[\\\"urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email reported by user as malware or phish\\\",\\\"Description\\\":\\\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"user@example.com\\\",\\\"Urls\\\":[\\\"hxxp://test.local\\\",\\\"hxxp://test.local\\\",\\\"hxxp://test.local\\\"],\\\"Threats\\\":[\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"bounce@example.com\\\",\\\"P1Sender\\\":\\\"<>\\\",\\\"P1SenderDomain\\\":\\\"\\\",\\\"SenderIP\\\":\\\"81.2.69.144\\\",\\\"P2Sender\\\":\\\"bounce@example.com\\\",\\\"P2SenderDisplayName\\\":\\\"name\\\",\\\"P2SenderDomain\\\":\\\"example.com\\\",\\\"ReceivedDate\\\":\\\"2025-09-29T23:59:59\\\",\\\"NetworkMessageId\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"subject\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Delivered\\\",\\\"ThreatDetectionMethods\\\":[\\\"MLModel\\\"],\\\"Language\\\":\\\"nb\\\",\\\"DeliveryLocation\\\":\\\"Inbox\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\"],\\\"Connector\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb: [Inbound from dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb]\\\",\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Fail\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"fail\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2025-09-29T23:59:59\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"user@example.com\\\",\\\"Upn\\\":\\\"account@example.com\\\",\\\"AadId\\\":\\\"dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:abcdef1234567890abcdef1234567890\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2025-09-29T23:59:59\\\"}],\\\"LogCreationTime\\\":\\\"2025-09-29T23:59:59.0000000Z\\\",\\\"MachineName\\\":\\\"ABCDEFGHIJK\\\",\\\"SourceTemplateType\\\":\\\"Activity_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/abc-investigation/urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890\",\"Operation\":\"AirInvestigationData\",\"OrganizationId\":\"999999999-2222-1111-7777-123456789012\",\"EndTimeUtc\":\"2025-09-29T23:59:59\",\"InvestigationId\":\"urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"Workload\":\"AirInvestigation\",\"RecordType\":64,\"Version\":1,\"UserId\":\"AirInvestigation\",\"CreationTime\":\"2025-09-29T03:11:01\",\"InvestigationName\":\"Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef\",\"Id\":\"44445555-2222-4444-8888-123456789012\",\"RunningTime\":135051,\"UserType\":4,\"LastUpdateTimeUtc\":\"2025-09-29T23:59:59\"}", + "outcome": "success", + "provider": "AirInvestigation", + "type": [ + "info" + ] + }, + "host": { + "id": "999999999-2222-1111-7777-123456789012" + }, + "o365": { + "audit": { + "Actions": [ + { + "$id": "1", + "ActionApproval": "None", + "ActionId": "urn:EmailZapper:1234567890abcdef1234567890abcdef", + "ActionStatus": "Skipped", + "ActionType": "EmailRemediation", + "BulkName": "Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "Description": "For malicious emails, you can move to junk, soft or hard delete from user's mailbox.", + "EndTimeUtc": "2025-09-15T23:04:18Z", + "Entities": [ + { + "$id": "2", + "AdditionalActionsAndResults": [ + "OriginalDelivery: [N/A]" + ], + "AntispamDirection": "Inbound", + "AuthDetails": [ + { + "Name": "SPF", + "Value": "Pass" + }, + { + "Name": "DKIM", + "Value": "Pass" + }, + { + "Name": "DMARC", + "Value": "Pass" + }, + { + "Name": "Comp Auth", + "Value": "pass" + } + ], + "DeliveryAction": "Delivered", + "DeliveryLocation": "Quarantine", + "FirstSeen": "2025-09-15T22:51:56", + "InternetMessageId": "<1234@email.example.com>", + "Language": "en", + "NetworkMessageId": "33333333-eeee-4444-5555-999999999999", + "OriginalDeliveryLocation": "Inbox", + "P1Sender": "1234565@example.com", + "P1SenderDomain": "example.com", + "P2Sender": "sales@example.com", + "P2SenderDisplayName": "Postal_ProtocolAdminChecklnReportDocSubmissionRequestapEx12341234Serverange-reply", + "P2SenderDomain": "example.com", + "ReceivedDate": "2025-09-15T22:20:37", + "Recipient": "user@example.com", + "Sender": "sales@example.com", + "SenderIP": "203.0.113.55", + "Source": "OATP", + "Subject": "Admin-Protocol-Tasks-Update on 9/15/2025", + "Threats": [ + "ZapPhish", + "HighConfPhish" + ], + "Type": "mailMessage", + "Urls": [ + "https://exxample.com/fffffffff", + "https://example.com/", + "https://www.example.com/", + "https://domain.com", + "https://domain.com", + "https://emailsg.example.com/wf/open?upn=1234", + "https://apps.apple.com/us/app/example-com/id12343123444", + "https://play.google.com/store/apps/details?id=com.example.example", + "https://dl.example.com/boards/6667868113/groups/topics?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=98776666&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0", + "https://dl.example.com/users/-4-automations?dl_slug=resortinternet&dl_msgid=99999999-6666-5555-4444-1023456789012&dl_category=notifications_mailer-assign_person_to_pulse&dl_userid=12345678&dl_sessionid=12345678901234567890123456789012_0&dl_senderid=-4&dl_notificationappid=12345678&dl_notificationkindname=board_assigned_in_column&dl_notificationuuid=12345678901234567890123456789012_0" + ], + "Urn": "urn:MailEntity:aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb" + } + ], + "InvestigationId": "urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "LastUpdateTimeUtc": "2025-09-17T12:22:43.2513154Z", + "LogCreationTime": "2025-09-17T12:22:43.2513154Z", + "MachineName": "AB12AB12AB123", + "PendingType": "User", + "RelatedAlertIds": [ + "33333333-2222-1111-7777-123456789012" + ], + "ResourceIdentifiers": [ + { + "$id": "3", + "AadTenantId": "999999999-2222-1111-7777-123456789012", + "Type": "AAD" + } + ], + "StartTimeUtc": "2025-09-15T23:02:00", + "TimestampUtc": "2025-09-15T23:04:18", + "Type": "InvestigationAction" + }, + { + "$id": "1", + "ActionApproval": "None", + "ActionId": "urn:EmailZapper:4321567890abcdef1234567890abcdef", + "ActionStatus": "Skipped", + "ActionType": "EmailRemediation", + "BulkName": "Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "Description": "For malicious emails, you can move to junk, soft or hard delete from user's mailbox.", + "EndTimeUtc": "2025-09-17T10:37:16", + "Entities": [ + { + "$id": "2", + "ClusterBy": "BodyFingerprintBin1;SenderIp;ContentType", + "ClusterByValue": "99999999999;203.0.113.5;1", + "ClusterGroup": "BodyFingerprintBin1,SenderIp", + "ClusterQueryEndTime": "2025-09-15T23:05:00Z", + "ClusterQueryStartTime": "2025-08-26T00:00:00Z", + "ClusterSourceIdentifier": "33333333-eeee-4444-5555-999999999999", + "ClusterSourceType": "Similarity", + "CountByDeliveryLocation": { + "Quarantine": 2 + }, + "CountByProtectionStatus": { + "Blocked": 1, + "Delivered": 1 + }, + "CountByThreatType": { + "HighConfPhish": 1, + "Malware": 0, + "Phish": 0, + "Spam": 0 + }, + "FirstSeen": "2025-09-15T23:00:09", + "IsVolumeAnamoly": false, + "MailCount": 2, + "NetworkMessageIds": [ + "88888888-eeee-4444-5555-999999999999", + "33333333-eeee-4444-5555-999999999999" + ], + "Query": "( (( (BodyFingerprintBin1:\"99999999999\") ) AND ( (SenderIp:\"203.0.113.55\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))", + "QueryStartTime": "8/26/2025 12:00:00 AM", + "QueryTime": "2025-09-15T23:05:00Z", + "Source": "OATP", + "Type": "mailCluster", + "Urn": "urn:MailClusterEntity:98765432109876543210987654321098" + } + ], + "InvestigationId": "urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "LastUpdateTimeUtc": "2025-09-17T12:22:43.2525624Z", + "LogCreationTime": "2025-09-17T12:22:43.2525624Z", + "MachineName": "AB12AB12AB123", + "PendingType": "User", + "RelatedAlertIds": [ + "33333333-2222-1111-7777-123456789012" + ], + "ResourceIdentifiers": [ + { + "$id": "3", + "AadTenantId": "999999999-2222-1111-7777-123456789012", + "Type": "AAD" + } + ], + "StartTimeUtc": "2025-09-15T23:02:00", + "TimestampUtc": "2025-09-17T10:37:16", + "Type": "InvestigationAction" + }, + { + "$id": "1", + "ActionApproval": "None", + "ActionId": "urn:EmailZapper:6666567890abcdef1234567890abcdef", + "ActionStatus": "Skipped", + "ActionType": "EmailRemediation", + "BulkName": "Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "Description": "For malicious emails, you can move to junk, soft or hard delete from user's mailbox.", + "EndTimeUtc": "2025-09-17T10:37:16", + "Entities": [ + { + "$id": "2", + "ClusterBy": "BodyFingerprintBin1;P2SenderDomain;ContentType", + "ClusterByValue": "99999999999;example.com;1", + "ClusterGroup": "BodyFingerprintBin1,P2SenderDomain", + "ClusterQueryEndTime": "2025-09-15T23:05:00Z", + "ClusterQueryStartTime": "2025-08-26T00:00:00Z", + "ClusterSourceIdentifier": "33333333-eeee-4444-5555-999999999999", + "ClusterSourceType": "Similarity", + "CountByDeliveryLocation": { + "Quarantine": 3 + }, + "CountByProtectionStatus": { + "Blocked": 2, + "Delivered": 1 + }, + "CountByThreatType": { + "HighConfPhish": 2, + "Malware": 0, + "Phish": 0, + "Spam": 0 + }, + "FirstSeen": "2025-09-15T23:00:09", + "IsVolumeAnamoly": false, + "MailCount": 3, + "NetworkMessageIds": [ + "88888888-eeee-4444-5555-999999999999", + "33333333-eeee-4444-5555-999999999999", + "44444444-eeee-4444-5555-999999999999" + ], + "Query": "( (( (BodyFingerprintBin1:\"99999999999\") ) AND ( (P2SenderDomain:\"example.com\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))", + "QueryStartTime": "8/26/2025 12:00:00 AM", + "QueryTime": "2025-09-15T23:05:00Z", + "Source": "OATP", + "Type": "mailCluster", + "Urn": "urn:MailClusterEntity:cccccccccccccccccccccccccccccccc" + } + ], + "InvestigationId": "urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "LastUpdateTimeUtc": "2025-09-17T12:22:43.2676112Z", + "LogCreationTime": "2025-09-17T12:22:43.2676112Z", + "MachineName": "AB12AB12AB123", + "PendingType": "User", + "RelatedAlertIds": [ + "33333333-2222-1111-7777-123456789012" + ], + "ResourceIdentifiers": [ + { + "$id": "3", + "AadTenantId": "999999999-2222-1111-7777-123456789012", + "Type": "AAD" + } + ], + "StartTimeUtc": "2025-09-15T23:02:00", + "TimestampUtc": "2025-09-17T10:37:16", + "Type": "InvestigationAction" + } + ], + "CreationTime": "2025-09-29T03:11:01", + "Data": { + "flattened": { + "AlertDisplayName": "Email reported by user as malware or phish", + "AlertType": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "Category": "ThreatManagement", + "ConfidenceLevel": "Unknown", + "ConfidenceScore": 1, + "CorrelationKey": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "Description": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3", + "EndTimeUtc": "2025-09-29T23:59:59Z", + "Entities": [ + { + "$id": "3", + "AdditionalActionsAndResults": [ + "OriginalDelivery: [N/A]" + ], + "AntispamDirection": "Inbound", + "AuthDetails": [ + { + "Name": "SPF", + "Value": "Pass" + }, + { + "Name": "DKIM", + "Value": "None" + }, + { + "Name": "DMARC", + "Value": "Fail" + }, + { + "Name": "Comp Auth", + "Value": "fail" + } + ], + "Connector": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb: [Inbound from dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb]", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox", + "FirstSeen": "2025-09-29T23:59:59", + "InternetMessageId": "", + "Language": "nb", + "NetworkMessageId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "OriginalDeliveryLocation": "Inbox", + "P1Sender": "<>", + "P2Sender": "bounce@example.com", + "P2SenderDisplayName": "name", + "P2SenderDomain": "example.com", + "PhishConfidenceLevel": "High", + "ReceivedDate": "2025-09-29T23:59:59", + "Recipient": "user@example.com", + "Sender": "bounce@example.com", + "SenderIP": "81.2.69.144", + "Source": "OATP", + "Subject": "subject", + "ThreatDetectionMethods": [ + "MLModel" + ], + "Threats": [ + "HighConfPhish" + ], + "Type": "mailMessage", + "Urls": [ + "hxxp://test.local", + "hxxp://test.local", + "hxxp://test.local" + ], + "Urn": "urn:MailEntity:dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb" + }, + { + "$id": "4", + "AadId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "FirstSeen": "2025-09-29T23:59:59", + "MailboxPrimaryAddress": "user@example.com", + "RiskLevel": "None", + "Source": "OATP", + "Type": "mailbox", + "Upn": "account@example.com", + "Urn": "urn:UserEntity:abcdef1234567890abcdef1234567890" + } + ], + "ExtendedLinks": [ + { + "Href": "https://security.microsoft.com/viewalerts?id=dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "Label": "alert", + "Type": "webLink" + } + ], + "Intent": "Probing", + "InvestigationIds": [ + "urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890" + ], + "Investigations": [ + { + "$id": "1", + "Id": "urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890", + "InvestigationStatus": "Running" + } + ], + "IsIncident": false, + "LogCreationTime": "2025-09-29T23:59:59.0000000Z", + "MachineName": "ABCDEFGHIJK", + "ProcessingEndTime": "2025-09-29T23:59:59.0000000Z", + "ProviderAlertId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "ProviderName": "OATP", + "ResourceIdentifiers": [ + { + "$id": "2", + "AadTenantId": "dddddddd-cccc-eeee-aaaa-bbbbbbbbbbbb", + "Type": "AAD" + } + ], + "Severity": "Low", + "SourceAlertType": "System", + "SourceTemplateType": "Activity_Single", + "StartTimeUtc": "2025-09-29T23:59:59Z", + "Status": "InProgress", + "TimeGenerated": "2025-09-29T23:59:59.00Z", + "VendorName": "Microsoft", + "Version": "3.0" + } + }, + "DeepLinkUrl": "https://security.microsoft.com/abc-investigation/urn:SubmissionInvestigation:abcdef1234567890abcdef1234567890", + "EndTimeUtc": "2025-09-29T23:59:59.000Z", + "InvestigationId": "urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "InvestigationName": "Malicious mail is zapped - urn:ZappedEmailInvestigation:7777567890abcdef1234567890abcdef", + "InvestigationType": "ZappedEmailInvestigation", + "LastUpdateTimeUtc": "2025-09-29T23:59:59.000Z", + "ObjectId": "44445555-2222-4444-8888-123456789012", + "OriginalDeliveryLocation": [ + "Inbox" + ], + "PhishConfidenceLevel": [ + "High" + ], + "RecordType": "64", + "RunningTime": "135051", + "StartTimeUtc": "2025-09-29T23:59:59.000Z", + "Status": "Remediated", + "ThreatDetectionMethods": [ + "MLModel" + ], + "UserId": "AirInvestigation", + "UserKey": "AirInvestigation", + "UserType": "4", + "Version": "1" + } + }, + "organization": { + "id": "999999999-2222-1111-7777-123456789012" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "account@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": [ + "user@example.com" + ], + "id": "AirInvestigation" + } + }, + { + "@timestamp": "2025-09-26T22:32:29.000Z", + "client": { + "address": "203.0.113.145", + "ip": "203.0.113.145" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "MailItemsAccessed", + "category": [ + "web", + "email" + ], + "code": "ExchangeItemAggregated", + "id": "aaaaaaaa-bbbb-cccc-dddd-123456789012", + "kind": "event", + "original": "{\"OrganizationName\":\"example.onmicrosoft.com\",\"ActorInfoString\":\"Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];\",\"UserKey\":\"9876543210987656\",\"MailboxGuid\":\"eeeeeeee-aaaa-1234-bbbb-123456789012\",\"Operation\":\"MailItemsAccessed\",\"OrganizationId\":\"33333333-bbbb-cccc-dddd-123456789012\",\"ClientIPAddress\":\"203.0.113.145\",\"TokenObjectId\":\"ffffffff-aaaa-1234-bbbb-123456789012\",\"LogonUserSid\":\"S-1-5-21-1234567890-1234567890-123456789012-88888888\",\"OriginatingServer\":\"AB8MB22NO1234 (203.0.113.8)\",\"RecordType\":50,\"Version\":1,\"ClientInfoString\":\"Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];\",\"ClientAppId\":\"7777777-6666-aaaa-bbbb-123456789012\",\"MailboxOwnerUPN\":\"user@example.com\",\"OperationCount\":6,\"Folders\":[{\"Path\":\"\\\\Sent Items\",\"Id\":\"LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLCCCCCCCCCCCCCCCCCCCCCCCC\",\"FolderItems\":[{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3wRAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":14593,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEpAAAJ\"},{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3gYAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":8526,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEoAAAJ\"},{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAxaAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":99635,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEnAAAJ\"},{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgkAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":6475,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEmAAAJ\"},{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgQAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":326463,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEElAAAJ\"},{\"ImmutableId\":\"CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgOv+cAAAJ\",\"InternetMessageId\":\"\",\"SizeInBytes\":1352491.0,\"Id\":\"AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEkAAAJ\"}]}],\"MailboxOwnerSid\":\"S-1-5-21-1234567890-1234567890-123456789012-88888888\",\"ResultStatus\":\"Succeeded\",\"ExternalAccess\":false,\"LogonType\":0,\"TokenTenantId\":\"33333333-bbbb-cccc-dddd-123456789012\",\"AppAccessContext\":{\"AADSessionId\":\"dddddddd-aaaa-eeee-dddd-123456789012\",\"ClientAppId\":\"7777777-6666-aaaa-bbbb-123456789012\",\"UniqueTokenId\":\"ZZZZZZZZZZKKKKKKKKKKAA\",\"APIId\":\"bbbbbbbb-aaaa-eeee-bbbb-123456789012\",\"IssuedAtTime\":\"2025-09-26T22:27:27\"},\"Workload\":\"Exchange\",\"InternalLogonType\":0,\"OperationProperties\":[{\"Value\":\"Bind\",\"Name\":\"MailAccessType\"}],\"AppId\":\"7777777-6666-aaaa-bbbb-123456789012\",\"UserId\":\"user@example.com\",\"CreationTime\":\"2025-09-26T22:32:29\",\"Id\":\"aaaaaaaa-bbbb-cccc-dddd-123456789012\",\"UserType\":0}", + "outcome": "success", + "provider": "Exchange", + "type": [ + "info", + "access" + ] + }, + "host": { + "id": "33333333-bbbb-cccc-dddd-123456789012", + "name": "example.com" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "ActorInfoString": "Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];", + "AppAccessContext": { + "AADSessionId": "dddddddd-aaaa-eeee-dddd-123456789012", + "APIId": "bbbbbbbb-aaaa-eeee-bbbb-123456789012", + "ClientAppId": "7777777-6666-aaaa-bbbb-123456789012", + "IssuedAtTime": "2025-09-26T22:27:27", + "UniqueTokenId": "ZZZZZZZZZZKKKKKKKKKKAA" + }, + "AppId": "7777777-6666-aaaa-bbbb-123456789012", + "ClientAppId": "7777777-6666-aaaa-bbbb-123456789012", + "ClientInfoString": "Client=WebServices;Apache-HttpAsyncClient/5.0[AppId=7777777-6666-aaaa-bbbb-123456789012];", + "CreationTime": "2025-09-26T22:32:29", + "ExchangeAggregatedFolders": [ + { + "FolderItems": [ + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEpAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3wRAAAJ", + "InternetMessageId": "", + "SizeInBytes": 14593 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEoAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgO3gYAAAJ", + "InternetMessageId": "", + "SizeInBytes": 8526 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEnAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAxaAAAJ", + "InternetMessageId": "", + "SizeInBytes": 99635 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEmAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgkAAAJ", + "InternetMessageId": "", + "SizeInBytes": 6475 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEElAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAAAAgQAAAJ", + "InternetMessageId": "", + "SizeInBytes": 326463 + }, + { + "Id": "AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEkAAAJ", + "ImmutableId": "CCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEAAAgOv+cAAAJ", + "InternetMessageId": "", + "SizeInBytes": 1352491 + } + ], + "Id": "LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLCCCCCCCCCCCCCCCCCCCCCCCC", + "Path": "\\Sent Items" + } + ], + "ExternalAccess": false, + "InternalLogonType": "0", + "LogonType": "0", + "LogonUserSid": "S-1-5-21-1234567890-1234567890-123456789012-88888888", + "MailboxGuid": "eeeeeeee-aaaa-1234-bbbb-123456789012", + "MailboxOwnerSid": "S-1-5-21-1234567890-1234567890-123456789012-88888888", + "MailboxOwnerUPN": "user@example.com", + "OperationCount": "6", + "OperationProperties": [ + { + "Name": "MailAccessType", + "Value": "Bind" + } + ], + "OrganizationName": "example.onmicrosoft.com", + "OriginatingServer": "AB8MB22NO1234 (203.0.113.8)", + "RecordType": "50", + "ResultStatus": "Succeeded", + "TokenObjectId": "ffffffff-aaaa-1234-bbbb-123456789012", + "TokenTenantId": "33333333-bbbb-cccc-dddd-123456789012", + "UserId": "user@example.com", + "UserKey": "9876543210987656", + "UserType": "0", + "Version": "1" + } + }, + "organization": { + "id": "33333333-bbbb-cccc-dddd-123456789012" + }, + "related": { + "ip": [ + "203.0.113.145" + ], + "user": [ + "user" + ] + }, + "session": { + "id": "dddddddd-aaaa-eeee-dddd-123456789012" + }, + "source": { + "as": { + "number": 64502, + "organization": { + "name": "Documentation ASN" + } + }, + "geo": { + "city_name": "Madrid", + "continent_name": "Europe", + "country_iso_code": "ES", + "country_name": "Spain", + "location": { + "lat": 40.41639, + "lon": -3.7025 + }, + "region_iso_code": "ES-M", + "region_name": "Madrid" + }, + "ip": "203.0.113.145" + }, + "tags": [ + "preserve_original_event" + ], + "token": { + "id": "ZZZZZZZZZZKKKKKKKKKKAA" + }, + "user": { + "domain": "example.com", + "email": "user@example.com", + "id": "user@example.com", + "name": "user" + } + } + ] +} diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 2ebdef4e402..9f7c2961aca 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -132,11 +132,15 @@ processors: if (!(ctx.o365audit.Actions instanceof List)) { ctx.o365audit.Actions = [ctx.o365audit.Actions]; } + + // Actions contains both a human readable `QueryTime` using AM/PM and an ISO8601 format `QueryTime` + // We remove the AM/PM containing `QueryTime` to avoid duplicate field errors on flattening. + def queryTimePattern = /,"QueryTime":"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M"|"QueryTime":"[0-9\/]+\s[0-9]+:[0-9]+:[0-9]+\s[AP]M",/; for (def e: ctx.o365audit.Actions) { if (e instanceof Map) { actions.add(e); } else if (e instanceof String) { - ctx._tmp.action_strings.add(e); + ctx._tmp.action_strings.add(queryTimePattern.matcher(e).replaceAll('')); } } if (actions.length == ctx.o365audit.Actions.length) { @@ -672,11 +676,11 @@ processors: target_field: file.extension ignore_missing: true if: ctx.event?.code != null && ["SharePointFileOperation", "SharePointSharingOperation"].contains(ctx.event.code) - - append: + - append: field: event.category value: file if: 'ctx.event?.action != null && ["FileAccessed", "FileDeleted", "FileDownloaded", "FileModified", "FileMoved", "FileRenamed", "FileRestored", "FileUploaded", "FolderCopied", "FolderCreated", "FolderDeleted", "FolderModified", "FolderMoved", "FolderRenamed", "FolderRestored"].contains(ctx.event?.action)' - - append: + - append: field: event.category value: configuration if: ctx.event?.action == "ComplianceSettingChanged" @@ -1398,6 +1402,26 @@ processors: } else { ctx.o365audit.YammerNetworkId = ctx.o365audit.YammerNetworkId.toString(); } + - script: + tag: convert_runningtime + description: Ensure that RunningTime is not rendered with e-notation or other numeric + if: ctx.o365audit?.RunningTime != null + source: |- + if (ctx.o365audit.RunningTime instanceof double) { + ctx.o365audit.RunningTime = ((long)ctx.o365audit.RunningTime).toString(); + } else { + ctx.o365audit.RunningTime = ctx.o365audit.RunningTime.toString(); + } + - script: + tag: convert_operationcount + description: Ensure that OperationCount is not rendered with e-notation or other numeric + if: ctx.o365audit?.OperationCount != null + source: |- + if (ctx.o365audit.OperationCount instanceof Number) { + ctx.o365audit.OperationCount = ((long)ctx.o365audit.OperationCount).toString(); + } else { + ctx.o365audit.OperationCount = ctx.o365audit.OperationCount.toString(); + } - append: field: email.message_id value: "{{{o365audit.InternetMessageId}}}" @@ -1446,6 +1470,7 @@ processors: field: o365audit.EndTimeUtc target_field: o365audit.EndTimeUtc tag: date_EndTimeUtc + timezone: "UTC" formats: - ISO8601 if: ctx.o365audit?.EndTimeUtc != null @@ -1789,6 +1814,66 @@ processors: copy_from: o365audit.ApplicationDisplayName tag: set_application_name ignore_empty_value: true + + # ExchangeItemAggregated Schema + - append: + field: event.type + value: access + if: ctx.o365audit?.RecordType == "50" + - append: + field: event.category + value: email + if: ctx.o365audit?.RecordType == "50" + - rename: + field: o365audit.Messages + target_field: o365audit.ExchangeAggregatedMessages + tag: rename_messages_exchange + description: 'move generic Messages field to the ExchangeAggregatedMessages field type' + if: ctx.o365audit?.Messages != null && ctx.o365audit.RecordType == "50" + - script: + tag: convert_exchange_message_size_to_long + if: ctx.o365audit?.ExchangeAggregatedMessages != null + lang: painless + source: | + for (def i = 0; i < ctx.o365audit.ExchangeAggregatedMessages.length; i++) { + if (ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems == null) { + continue; + } + for (def j = 0; j < ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems.length; j++) { + def size = ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes; + if (size instanceof String) { + ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes = Long.parseLong(size); + } else { + ctx.o365audit.ExchangeAggregatedMessages[i].MessageItems[j].SizeInBytes = (long)size; + } + } + } + + - rename: + field: o365audit.Folders + target_field: o365audit.ExchangeAggregatedFolders + tag: rename_folders_exchange + description: 'move generic Folders field to the O365 ExchangeAggregatedFolders field type' + if: ctx.o365audit?.Folders != null && ctx.o365audit.RecordType == "50" + - script: + tag: convert_exchange_folder_size_to_long + if: ctx.o365audit?.ExchangeAggregatedFolders != null + lang: painless + source: | + for (def i = 0; i < ctx.o365audit.ExchangeAggregatedFolders.length; i++) { + if (ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems == null) { + continue; + } + for (def j = 0; j < ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems.length; j++) { + def size = ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes; + if (size instanceof String) { + ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes = Long.parseLong(size); + } else { + ctx.o365audit.ExchangeAggregatedFolders[i].FolderItems[j].SizeInBytes = (long)size; + } + } + } + - script: description: Handle _tmp.entities.ThreatDetectionMethods containing list of lists. lang: painless diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml index 64081ffd3c1..87a5db2b86d 100644 --- a/packages/o365/data_stream/audit/fields/fields.yml +++ b/packages/o365/data_stream/audit/fields/fields.yml @@ -16,6 +16,8 @@ type: keyword - name: ActorContextId type: keyword + - name: ActorInfoString + type: keyword - name: ActorIpAddress type: keyword - name: ActorUserId @@ -275,6 +277,52 @@ # not expressible here; object_type_mapping_type cannot be 'boolean'. object_type: keyword object_type_mapping_type: '*' + - name: ExchangeAggregatedFolders + type: nested + description: List of folders + fields: + - name: Path + type: keyword + description: Path of the folder + - name: Id + type: keyword + description: Folder ID + - name: FolderItems + type: nested + description: Items in the folder + fields: + - name: SizeInBytes + type: long + description: Size of the item in bytes + - name: Id + type: keyword + description: Item ID + - name: ImmutableId + type: keyword + description: Immutable ID of the item + - name: InternetMessageId + type: keyword + description: Internet message ID + - name: ExchangeAggregatedMessages + type: nested + description: List of messages + fields: + - name: Path + type: keyword + description: Path of the message + - name: Id + type: keyword + description: Message ID + - name: MessageItems + type: nested + description: Items in the message + fields: + - name: SizeInBytes + type: long + description: Size of the message item in bytes + - name: Id + type: keyword + description: Message item ID - name: ExchangeMetaData type: group fields: @@ -415,6 +463,8 @@ type: keyword - name: Operation type: keyword + - name: OperationCount + type: keyword - name: OperationId type: keyword - name: OperationProperties @@ -604,6 +654,10 @@ type: keyword - name: ThreatDetectionMethods type: keyword + - name: TokenObjectId + type: keyword + - name: TokenTenantId + type: keyword - name: Timestamp type: keyword - name: UniqueSharingId diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index c2655f26d4f..1de68f998ce 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -237,6 +237,7 @@ An example event for `audit` looks as following: | o365.audit.Actor.ID | | keyword | | o365.audit.Actor.Type | | keyword | | o365.audit.ActorContextId | | keyword | +| o365.audit.ActorInfoString | | keyword | | o365.audit.ActorIpAddress | | keyword | | o365.audit.ActorUserId | | keyword | | o365.audit.ActorYammerUserId | | keyword | @@ -356,6 +357,16 @@ An example event for `audit` looks as following: | o365.audit.EventDeepLink | | keyword | | o365.audit.EventSource | | keyword | | o365.audit.ExceptionInfo.\* | | object | +| o365.audit.ExchangeAggregatedFolders.FolderItems.Id | Item ID | keyword | +| o365.audit.ExchangeAggregatedFolders.FolderItems.ImmutableId | Immutable ID of the item | keyword | +| o365.audit.ExchangeAggregatedFolders.FolderItems.InternetMessageId | Internet message ID | keyword | +| o365.audit.ExchangeAggregatedFolders.FolderItems.SizeInBytes | Size of the item in bytes | long | +| o365.audit.ExchangeAggregatedFolders.Id | Folder ID | keyword | +| o365.audit.ExchangeAggregatedFolders.Path | Path of the folder | keyword | +| o365.audit.ExchangeAggregatedMessages.Id | Message ID | keyword | +| o365.audit.ExchangeAggregatedMessages.MessageItems.Id | Message item ID | keyword | +| o365.audit.ExchangeAggregatedMessages.MessageItems.SizeInBytes | Size of the message item in bytes | long | +| o365.audit.ExchangeAggregatedMessages.Path | Path of the message | keyword | | o365.audit.ExchangeMetaData.\* | | long | | o365.audit.ExchangeMetaData.CC | | keyword | | o365.audit.ExchangeMetaData.MessageID | | keyword | @@ -417,6 +428,7 @@ An example event for `audit` looks as following: | o365.audit.ObjectId | | keyword | | o365.audit.ObjectType | | keyword | | o365.audit.Operation | | keyword | +| o365.audit.OperationCount | | keyword | | o365.audit.OperationId | | keyword | | o365.audit.OperationProperties | | object | | o365.audit.OrganizationId | | keyword | @@ -501,6 +513,8 @@ An example event for `audit` looks as following: | o365.audit.TeamName | | keyword | | o365.audit.ThreatDetectionMethods | | keyword | | o365.audit.Timestamp | | keyword | +| o365.audit.TokenObjectId | | keyword | +| o365.audit.TokenTenantId | | keyword | | o365.audit.UniqueSharingId | | keyword | | o365.audit.UserAgent | | keyword | | o365.audit.UserId | | keyword | diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index d1539230bb9..254d13a01c5 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft Office 365 -version: "2.32.0" +version: "2.33.0" description: Collect logs from Microsoft Office 365 with Elastic Agent. type: integration format_version: "3.2.3"