File tree Expand file tree Collapse file tree 5 files changed +47
-1
lines changed
elasticsearch/ingest_pipeline Expand file tree Collapse file tree 5 files changed +47
-1
lines changed Original file line number Diff line number Diff line change 11# newer versions go on top
2+ - version : 2.1.0
3+ changes :
4+ - description : Add extra values to `related.user`.
5+ type : enhancement
6+ link : https://github.com/elastic/integrations/pull/8803
27- version : 2.0.0
38 changes :
49 - description : Mapping, parsing of o365.audit fields Platform and Data.*.
Original file line number Diff line number Diff line change 58375837 "related" : {
58385838 "ip" : [
58395839 " 67.43.156.13"
5840+ ],
5841+ "user" : [
5842+ " EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management"
58405843 ]
58415844 },
58425845 "server" : {
66826685 "related" : {
66836686 "ip" : [
66846687 " 67.43.156.13"
6688+ ],
6689+ "user" : [
6690+ " EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management"
66856691 ]
66866692 },
66876693 "server" : {
Original file line number Diff line number Diff line change 7070 "id" : " b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
7171 "name" : " mytenant.onmicrosoft.com"
7272 },
73+ "related" : {
74+ "user" : [
75+ " asr@testsiem.onmicrosoft.com"
76+ ]
77+ },
7378 "rule" : {
7479 "category" : " AccessGovernance"
7580 "description" : " asr@testsiem.onmicrosoft.com"
166171 "id" : " b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
167172 "name" : " mytenant.onmicrosoft.com"
168173 },
174+ "related" : {
175+ "user" : [
176+ " asr@testsiem.onmicrosoft.com"
177+ ]
178+ },
169179 "rule" : {
170180 "category" : " AccessGovernance"
171181 "id" : " 17d51759-88e1-40c1-8df3-20bcf2e43057"
Original file line number Diff line number Diff line change @@ -1044,6 +1044,11 @@ processors:
10441044 value : " {{file.owner}}"
10451045 allow_duplicates : false
10461046 if : ctx.file?.owner != null
1047+ - append :
1048+ field : related.user
1049+ value : " {{o365audit.Parameters.User}}"
1050+ allow_duplicates : false
1051+ if : ctx.o365audit?.Parameters?.User != null
10471052 - rename :
10481053 field : o365audit.ExtendedProperties.UserAgent
10491054 target_field : user_agent.original
@@ -1166,6 +1171,26 @@ processors:
11661171 formats :
11671172 - ISO8601
11681173 if : ctx.o365audit?.Data?.ttdt != null
1174+ - append :
1175+ field : related.user
1176+ value : " {{o365audit.Data.f3u}}"
1177+ allow_duplicates : false
1178+ if : ctx.o365audit?.Data?.f3u?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.f3u.length() >= 3;
1179+ - append :
1180+ field : related.user
1181+ value : " {{o365audit.Data.suid}}"
1182+ allow_duplicates : false
1183+ if : ctx.o365audit?.Data?.suid?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.suid.length() >= 3;
1184+ - append :
1185+ field : related.user
1186+ value : " {{o365audit.Data.tsd}}"
1187+ allow_duplicates : false
1188+ if : ctx.o365audit?.Data?.tsd?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.tsd.length() >= 3;
1189+ - append :
1190+ field : related.user
1191+ value : " {{o365audit.Data.trc}}"
1192+ allow_duplicates : false
1193+ if : ctx.o365audit?.Data?.trc?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.trc.length() >= 3;
11691194 - rename :
11701195 field : o365audit
11711196 target_field : o365.audit
Original file line number Diff line number Diff line change 11name : o365
22title : Microsoft 365
3- version : " 2.0 .0"
3+ version : " 2.1 .0"
44description : Collect logs from Microsoft 365 with Elastic Agent.
55type : integration
66format_version : " 3.0.0"
You can’t perform that action at this time.
0 commit comments