Microsoft365 OperationProperties

connecting to m364 audit log I can see a message that I work using a json extractor.
In the message there is a field OperationProperties that is a json

but if I look it on the console or in my custom rule is appear as e map toString value

is there a way to have the value as json (so that I can extract them and set the name and value as feild in the message)?

This is the extractor that I use in the 365 input

Can somebody help me?

Are you using the Office 365 Integrations?

If you are you should also have access to they Office 365 Content Pack which is available to licensed customers.

Thanks @drewmiranda-gl for your answer.
No, i’m not using it.
The M365 log are sent to graylog using API and then, using logstash via UPD the messages are sent to graylog
I cannot acces directly to m365


Do you have any raw message fields that are not being parsed? Graylog has a really useful flatten_json pipeline function but you’d need access to the raw message (if that is possible).

Unfortunately once the value is saved in graylog as “not json” there isn’t any way to parse it as json. More complex matching rules would be needed.

Hi @drewmiranda-gl
I can access to the raw message. Currently I added the json extractor in order to convert the text to json.
So you suggest me to use the flatten_json instead?
Can I ask you a snippet in order to understand how use it?
let new_fields= flatten_json(to_string($message.message), "OPTION_FLATTEN"); set_fields(new_fields);

can be good for you?

Here is an example i use. Change the criteria to suite your needs.

rule "PARES flatten json"
    let rsJson = flatten_json(
        value: to_string($message.message),
        array_handler: "flatten"
    set_fields(to_map(rsJson), "json_");

See here for available options for the array_handler property.

Note that the text input MUST be valid json. You can use something like to validate.

Hope that helps.

it works as I expected!!!
Thanks a lot

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.