Microsoft365 ExtendedProperties

gianluca-valentini · December 12, 2022, 6:28pm

Hi,
using Grylog 4.3.7 i’m wrking with Microsoft 365 ingestion log.
Now the problem is ExtendedProperties like field.
I use the default json extractor but I have differente valure from input and extracted tag:
The log value is

“ExtendedProperties”: [
{
“Name”: “ResultStatusDetail”,
“Value”: “Redirect”
},
{
“Name”: “UserAgent”,
“Value”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
},
{
“Name”: “RequestType”,
“Value”: “OAuth2:Authorize”
}
]

while the graylog extracted one is

{Name=ResultStatusDetail, Value=Redirect}, {Name=UserAgent, Value=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36}, {Name=RequestType, Value=OAuth2:Authorize}

So how I can read it? I don’t understand the graylog conversion. It seems a map list but without quotes I cannot distinguish between the string and number values.

Can somebody help me to understand how to manage it?
Gianluca

gsmith · December 12, 2022, 11:59pm

Hello @gianluca-valentini

Not 100% sure what going on, what does your settings look like on the input,?

gianluca-valentini · December 13, 2022, 6:15am

Hi @gsmith
I have an UDP input

where I add a default Json extractor

So I show you a test message and the extracted ExtendedProperties

message
{“RecordType”:0.0,“UserAgent”:“Microsoft Office OneNote/16.0.5149.1000 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; WinTSI 06.12.2009;.NET CLR 3.0.30729; .NET4.0C)”,“host”:,“Actor”:,“Target”:,“ModifiedProperties”:[{“Name”:“windiff”,“NewValue”:“nuovo”,“OldValue”:“vecchio”}],“DissectObject”:{“UserObject”:{“id”:“aeng015”}},“Version”:0.0,“ExtendedProperties”:[{“Name”:“ResultStatusDetail”,“Value”:“Redirect”}],“AzureActiveDirectoryEventType”:0.0,“UserType”:0.0,“tags”:[ingestion],“DeviceProperties”:[{“Name”:“nome”,“Value”:1}],“CreationTime”:“2022-11-15T10:26:49”}

ExtendedProperties
{Name=ResultStatusDetail, Value=Redirect}

gianluca-valentini · December 15, 2022, 1:55pm

any idea about my problem?

gsmith · December 15, 2022, 10:49pm

Hello, @gianluca-valentini

I really havent worked with JSON extractors and to be honest a pipeline would be a lot better.
For example this post.

Failing JSON Extractor

system · December 29, 2022, 10:49pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Microsoft365 OperationProperties Graylog Central (peer support) pipeline-rules	7	326	August 4, 2023
Extracting JSON of varying content from a o365_extended_properties Graylog Central (peer support) pipeline-rules	2	435	November 5, 2023
Extractor key=value field type hints Graylog Central (peer support) pipeline-rules	4	1474	June 5, 2020
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5668	August 22, 2020
Extract string from field Graylog Central (peer support)	2	1161	March 15, 2018

Microsoft365 ExtendedProperties

Related Topics