Skip to content

Commit 0f102fc

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #3325 from splunk/output_normalization_o365
o365 detections output normalization
2 parents 5768076 + 6338010 commit 0f102fc

File tree

86 files changed

+810
-588
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

86 files changed

+810
-588
lines changed

data_sources/o365_add_app_role_assignment_grant_to_user_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,3 +114,9 @@ example_log:
114114
"Type": 4}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId":
115115
"rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com",
116116
"UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
117+
output_fields:
118+
- dest
119+
- user
120+
- src
121+
- vendor_account
122+
- vendor_product

data_sources/o365_add_app_role_assignment_to_service_principal_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,3 +120,9 @@ example_log:
120120
"Type": 2}, {"ID": "Office 365 Exchange Online", "Type": 1}, {"ID": "00000002-0000-0ff1-ce00-000000000000",
121121
"Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com",
122122
"Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
123+
output_fields:
124+
- dest
125+
- user
126+
- src
127+
- vendor_account
128+
- vendor_product

data_sources/o365_add_mailboxpermission.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,9 @@ example_log:
9090
{"Name": "InheritanceType", "Value": "All"}], "RecordType": 1, "ResultStatus": "True",
9191
"SessionId": "2be46662-a743-4a05-8744-c2f75f886512", "UserId": "pbareiss@rodsoto.onmicrosoft.com",
9292
"UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}'
93+
output_fields:
94+
- dest
95+
- user
96+
- src
97+
- vendor_account
98+
- vendor_product

data_sources/o365_add_member_to_role_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,3 +112,9 @@ example_log:
112112
"Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
113113
"Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID":
114114
"10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"}'
115+
output_fields:
116+
- dest
117+
- user
118+
- src
119+
- vendor_account
120+
- vendor_product

data_sources/o365_add_owner_to_application_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,3 +114,9 @@ example_log:
114114
"Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
115115
"Type": 2}, {"ID": "user2@contoso.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9",
116116
"Type": 3}], "TargetContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51"}'
117+
output_fields:
118+
- dest
119+
- user
120+
- src
121+
- vendor_account
122+
- vendor_product

data_sources/o365_add_service_principal_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,3 +122,9 @@ example_log:
122122
"Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1",
123123
"Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId":
124124
"75243ab2-44f8-435c-a7a6-b479385df6d4"}'
125+
output_fields:
126+
- dest
127+
- user
128+
- src
129+
- vendor_account
130+
- vendor_product

data_sources/o365_change_user_license_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,3 +106,9 @@ example_log:
106106
"Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
107107
"Type": 2}, {"ID": "victimUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID":
108108
"10032002CC029AE9", "Type": 3}], "TargetContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75"}'
109+
output_fields:
110+
- dest
111+
- user
112+
- src
113+
- vendor_account
114+
- vendor_product

data_sources/o365_consent_to_application_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,3 +114,9 @@ example_log:
114114
"Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454",
115115
"Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId":
116116
"9c00a473-1b2c-4bc2-9215-84df3f57aee5"}'
117+
output_fields:
118+
- dest
119+
- user
120+
- src
121+
- vendor_account
122+
- vendor_product

data_sources/o365_disable_strong_authentication_.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,3 +106,9 @@ example_log:
106106
"Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
107107
"UserId": "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com",
108108
"UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
109+
output_fields:
110+
- dest
111+
- user
112+
- src
113+
- vendor_account
114+
- vendor_product

data_sources/o365_mailitemsaccessed.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,9 @@ example_log:
100100
"SizeInBytes": 44572}, {"InternetMessageId": "<CH0PR18MB5530506D1B68B05A99A1109FF185A@CH0PR18MB5530.namprd18.prod.outlook.com>",
101101
"SizeInBytes": 245068}], "Id": "LgAAAAC0AxwgOj/BRq9Bs1bhMPw/AQDh+UNSDzeHSLWfq+fr83BDAAAAAAEMAAAB",
102102
"Path": "\\Inbox"}], "OperationCount": 4}'
103+
output_fields:
104+
- dest
105+
- user
106+
- src
107+
- vendor_account
108+
- vendor_product

0 commit comments

Comments
 (0)