Stay organized with collections Save and categorize content based on your preferences.

Change log for OFFICE_365

Date Changes
2022-04-17 Enhancement-Added mappings for new fields
TargetUserOrGroupName & TargetUserOrGroupType fields parsed for the following Office 365 Event Types:
"AccessRequestUpdated","SharingInvitationCreated","SharingInvitationAccepted".
2022-04-12 Enhancement-Added mappings for new fields.
Added following new event "TIUrlClickData".
Url mapped to target.url.
Based on UrlClickAction value security_result.action_details and security_result_description has been mapped.
UserIp mapped to principal.ip.
Added new event "InsightGenerated".
Description mapped to metadata.description.
For existing Operation/Event "DLPRuleMatch" mapped following fields:
- PolicyId, PolicyName, Actions, RuleId, RuleMode, RuleName, Severity, SensitiveInformationTypeName, SharePointMetaData.FileID, SharePointMetaData.FileName, SharePointMetaData.FilePathUrl, SharePointMetaData.FileSize.
For existing Operation/Event "FileModifiedExtended", mapped following fields:
- CorrelationId mapped to network.sessionId.
- ApplicationDisplayName,ApplicationId mapped to target.labels,
- FileSizeBytes mapped to target.file.size.
For existing Operation/Event "AddedToSecureLink" mapped following fields:
- TargetUserOrGroupName mapped to target.group.name if this is group, else mapped to target.user.userid.
- TargetUserOrGroupType mapped to target.user.attribute.roles if TargetUserOrGroupType is not Group.
For existing Operation/Event "Add registered users to device." mapped following fields:
- ResultStatus mapped to securityResult.actionDetails.
- Based on ResultStatus enum value securityResult.action is mapped.
- AzureActiveDirectoryEventType mapped to security_result.summary. If AzureActiveDirectoryEventType = 0 then "AccountLogon" else if AzureActiveDirectoryEventType = 1 then "AzureApplicationAuditEvent".
- ModifiedProperties.[n].NewValue mapped to securityResult.description.
- target.[n].ID mapped to target.user.productObjectId if target.[n].type is 3, else mapped to target.user.userid target.[n].type is 4 or 5.
For existing Operation/Event "Add registered users to device." mapped following fields:
- ModifiedProperties.[n].NewValue mapped to target.asset.asset_id if it is TargetId.DeviceId , else mapped to target.asset.platform_software.platform if it is TargetId.DeviceOSType, else mapped to target_software.version if it is DeviceOSVersion.
- ModifiedProperties.[n].NewValue mapped to target.labels based on ModifiedProperties.[n].Name values.
For existing Operation/Event "Add member to group." mapped following fields:
- actor.[n].ID mapped to principal.user.productObjectId if actor.[n].Type is 3.
For existing Operation/Event "MemberRemoved" mapped following fields:
- Currently UserId always goes to principal.user.userid, but now mapped based on UserType values.
- Members.[0].displayName mapped to target.user.displayName.
- Members.[0].Role mapped to target.user.attribute.roles.
For existing Operation/Event "AddFolderPermissions" mapped following fields:
- LogonType mapped to extensions.auth.authDetails.
- Item.Id mapped to target.resource.id.
- Item.ParentFolder.MemberSid mapped to target.user.productObjectId.
- Item.ParentFolder.MemberUpn mapped to target.user.emailAddresses.
2022-03-28 Enhancement-Added mappings for new fields
Added following new events "AddedToSecureLink", "AccessRequestCreated", "AccessRequestApproved", "SiteCollectionAdminRemoved", "UserExpirationChanged".
TargetUserOrGroupName and TargetUserOrGroupType mapped for the following events: "AddedToSecureLink", "AddedToGroup", "AccessRequestCreated", "AccessRequestApproved", "SharingSet", "SharingRevoked", "SiteCollectionAdminAdded", "SiteCollectionAdminRemoved", "UserExpirationChanged"
TargetUserOrGroupName mapped to target.user.email_addresses if this is an email, else mapped to target.user.userid
TargetUserOrGroupType mapped to target.user.attribute.roles