Change log for OFFICE_365

Date Changes
2022-05-05 Enhancement-Added mappings for new/unparsed fields.
Mapping ResultStatus to securityResult.action_details and its corresponding action for Operation "Add registered owner to device".
If TargetUserOrGroupType is "Group", then mapped TargetUserOrGroupName to target.group.group_diaplay_name.
If TargetUserOrGroupType is "User", then mapped all TargetUserOrGroupName value whether email or not to target.user.userid as well.
"DeviceOSVersion" mapped to target.asset.platform_software.platform_version.
If "AccountEnabled" is "false", value is assigned as DISABLED and ENABLED. If "true", mapped to target.user.attribute.labels.
Added "UserType" associated mappings for Operation "MemberRemoved" as well.
Operation "DLPRuleMatch" was not matching conditional check due to its different upper and lower cases. Added it as well.
2022-04-17 Enhancement-Added mappings for new fields
TargetUserOrGroupName & TargetUserOrGroupType fields parsed for the following Office 365 Event Types:
"AccessRequestUpdated","SharingInvitationCreated","SharingInvitationAccepted".
2022-04-12 Enhancement-Added mappings for new fields.
Added following new event "TIUrlClickData".
Url mapped to target.url.
Based on UrlClickAction value security_result.action_details and security_result_description has been mapped.
UserIp mapped to principal.ip.
Added new event "InsightGenerated".
Description mapped to metadata.description.
For existing Operation/Event "DLPRuleMatch" mapped following fields:
- PolicyId, PolicyName, Actions, RuleId, RuleMode, RuleName, Severity, SensitiveInformationTypeName, SharePointMetaData.FileID, SharePointMetaData.FileName, SharePointMetaData.FilePathUrl, SharePointMetaData.FileSize.
For existing Operation/Event "FileModifiedExtended", mapped following fields:
- CorrelationId mapped to network.sessionId.
- ApplicationDisplayName,ApplicationId mapped to target.labels,
- FileSizeBytes mapped to target.file.size.
For existing Operation/Event "AddedToSecureLink" mapped following fields:
- TargetUserOrGroupName mapped to target.group.name if this is group, else mapped to target.user.userid.
- TargetUserOrGroupType mapped to target.user.attribute.roles if TargetUserOrGroupType is not Group.
For existing Operation/Event "Add registered users to device." mapped following fields:
- ResultStatus mapped to securityResult.actionDetails.
- Based on ResultStatus enum value securityResult.action is mapped.
- AzureActiveDirectoryEventType mapped to security_result.summary. If AzureActiveDirectoryEventType = 0 then "AccountLogon" else if AzureActiveDirectoryEventType = 1 then "AzureApplicationAuditEvent".
- ModifiedProperties.[n].NewValue mapped to securityResult.description.
- target.[n].ID mapped to target.user.productObjectId if target.[n].type is 3, else mapped to target.user.userid target.[n].type is 4 or 5.
For existing Operation/Event "Add registered users to device." mapped following fields:
- ModifiedProperties.[n].NewValue mapped to target.asset.asset_id if it is TargetId.DeviceId , else mapped to target.asset.platform_software.platform if it is TargetId.DeviceOSType, else mapped to target_software.version if it is DeviceOSVersion.
- ModifiedProperties.[n].NewValue mapped to target.labels based on ModifiedProperties.[n].Name values.
For existing Operation/Event "Add member to group." mapped following fields:
- actor.[n].ID mapped to principal.user.productObjectId if actor.[n].Type is 3.
For existing Operation/Event "MemberRemoved" mapped following fields:
- Currently UserId always goes to principal.user.userid, but now mapped based on UserType values.
- Members.[0].displayName mapped to target.user.displayName.
- Members.[0].Role mapped to target.user.attribute.roles.
For existing Operation/Event "AddFolderPermissions" mapped following fields:
- LogonType mapped to extensions.auth.authDetails.
- Item.Id mapped to target.resource.id.
- Item.ParentFolder.MemberSid mapped to target.user.productObjectId.
- Item.ParentFolder.MemberUpn mapped to target.user.emailAddresses.
2022-03-28 Enhancement-Added mappings for new fields
Added following new events "AddedToSecureLink", "AccessRequestCreated", "AccessRequestApproved", "SiteCollectionAdminRemoved", "UserExpirationChanged".
TargetUserOrGroupName and TargetUserOrGroupType mapped for the following events: "AddedToSecureLink", "AddedToGroup", "AccessRequestCreated", "AccessRequestApproved", "SharingSet", "SharingRevoked", "SiteCollectionAdminAdded", "SiteCollectionAdminRemoved", "UserExpirationChanged"
TargetUserOrGroupName mapped to target.user.email_addresses if this is an email, else mapped to target.user.userid
TargetUserOrGroupType mapped to target.user.attribute.roles