Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[o365] Add extra values to related.user #8803

Merged
merged 3 commits into from
Jan 18, 2024
Merged

[o365] Add extra values to related.user #8803

merged 3 commits into from
Jan 18, 2024

Conversation

chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Dec 28, 2023
edited
Loading

Proposed commit message

[o365] Add extra values to `related.user` (#8803)

The `o365.audit.Parameters.User` value will be added to `related.user`,
when it is populated.

The `o365.audit.Data.*` fields `f3u`, `suid`, `tsd` and `trc` seem to
have values that match the format of an email address, and will be added
to `related.user` in those cases.

Discussion

These changes were suggested by a user in #4319.

Available example data includes o365.audit.Parameters.User values such as

EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management
EURPR01A002.prod.outlook.com/Microsoft Exchange Hosted Organizations/testsiem.onmicrosoft.com/Discovery Management

Available example data shows the o365.audit.Data.* fields f3u, suid, tsd and trc as having values that match the format of an email address. The user.email and user.id fields could potentially be populated with these values, but given the undocumented and uncertain meaning of the fields, I have chosen to add values that appear to be email addresses to related.user to aid discovery, and I will leave any further interpretation of these values to integration users.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

How to test this PR locally

elastic-package stack up -d
elastic-package build -v && elastic-package install -v
elastic-package test -v

Related issues

@chrisberkhout chrisberkhout self-assigned this Dec 28, 2023
@chrisberkhout chrisberkhout changed the title [o365] Add extra values to related.url [o365] Add extra values to related.user Dec 28, 2023
@chrisberkhout chrisberkhout mentioned this pull request Dec 28, 2023
Closed
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@chrisberkhout chrisberkhout marked this pull request as ready for review January 17, 2024 15:45
@chrisberkhout chrisberkhout requested a review from a team as a code owner January 17, 2024 15:45
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 approved these changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after version bump change.

packages/o365/changelog.yml Outdated Show resolved Hide resolved
packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
packages/o365/manifest.yml Outdated Show resolved Hide resolved
chrisberkhout and others added 2 commits January 18, 2024 11:58
@chrisberkhout @efd6
Update packages/o365/changelog.yml
4fa9354 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@chrisberkhout @efd6
Update packages/o365/manifest.yml
87488ef 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chrisberkhout

@chrisberkhout chrisberkhout merged commit 8d10ffc into elastic:main Jan 18, 2024
3 checks passed
@chrisberkhout chrisberkhout deleted the o365-extra-related-user-values branch January 18, 2024 11:17
@elasticmachine
Copy link

Package o365 - 2.1.0 containing this change is available at https://epr.elastic.co/search?package=o365

@chrisberkhout chrisberkhout mentioned this pull request Jan 22, 2024
Closed
@jvalente-salemstate jvalente-salemstate mentioned this pull request May 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chrisberkhout chrisberkhout

Labels
enhancement New feature or request Integration:o365
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chrisberkhout @elasticmachine @efd6