o365: add mappings for AdditionalInfo.* and AppAccessContext.*

efd6 · efd6 · commit 685c12651d36 · 2023-11-03T08:08:20.000+10:30
These fields have been observed in the wild.
diff --git a/packages/o365/_dev/deploy/docker/config.yml b/packages/o365/_dev/deploy/docker/config.yml
@@ -100,7 +100,7 @@ rules:
         body: |-
           [
             {"OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:13", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b"},
-            {"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.229.32)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2}
+            {"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"AdditionalInfo":{"EnvironmentName":"Default-ae81357b-84e6-4e54-b02c-db7dddd1e869"},"AppAccessContext":{"ClientAppId":"89118fb4-83bf-46d9-bb84-78cca4c122d5"},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.229.32)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2}
           ]
   - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content
     methods: [GET]
diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml
@@ -3,7 +3,10 @@
   changes:
     - description: Add start time fallback for responses that do not include the `startTime` query.
       type: bugfix
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/8374
+    - description: Add mappings for `o365.audit.AdditionalInfo.*` and `o365.audit.AppAccessContext.*`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/8374
 - version: "1.25.0"
   changes:
     - description: Improve 'event.original' check to avoid errors if set.
diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml
@@ -16,6 +16,10 @@
       type: keyword
     - name: ActorYammerUserId
       type: keyword
+    - name: AdditionalInfo.*
+      type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: AlertEntityId
       type: keyword
     - name: AlertId
@@ -24,6 +28,10 @@
       type: flattened
     - name: AlertType
       type: keyword
+    - name: AppAccessContext.*
+      type: object
+      object_type: keyword
+      object_type_mapping_type: '*'
     - name: AppId
       type: keyword
     - name: ApplicationDisplayName
diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md
@@ -228,10 +228,12 @@ An example event for `audit` looks as following:
 | o365.audit.ActorIpAddress |  | keyword |
 | o365.audit.ActorUserId |  | keyword |
 | o365.audit.ActorYammerUserId |  | keyword |
+| o365.audit.AdditionalInfo.\* |  | object |
 | o365.audit.AlertEntityId |  | keyword |
 | o365.audit.AlertId |  | keyword |
 | o365.audit.AlertLinks |  | flattened |
 | o365.audit.AlertType |  | keyword |
+| o365.audit.AppAccessContext.\* |  | object |
 | o365.audit.AppId |  | keyword |
 | o365.audit.ApplicationDisplayName |  | keyword |
 | o365.audit.ApplicationId |  | keyword |

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ rules:`
`100`	`100`	`body: \|-`
`101`	`101`	`[`
`102`	`102`	{"OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:13", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b"},
`103`		- {"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.229.32)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2}
	`103`	+ {"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"AdditionalInfo":{"EnvironmentName":"Default-ae81357b-84e6-4e54-b02c-db7dddd1e869"},"AppAccessContext":{"ClientAppId":"89118fb4-83bf-46d9-bb84-78cca4c122d5"},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.229.32)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2}
`104`	`104`	`]`
`105`	`105`	`- path: /api/v1.0/tenant-id/activity/feed/subscriptions/content`
`106`	`106`	`methods: [GET]`