Hi,
connecting to m364 audit log I can see a message that I work using a json extractor.
In the message there is a field OperationProperties that is a json
Thanks @drewmiranda-gl for your answer.
No, i’m not using it.
The M365 log are sent to graylog using API and then, using logstash via UPD the messages are sent to graylog
I cannot acces directly to m365
Do you have any raw message fields that are not being parsed? Graylog has a really useful flatten_json pipeline function but you’d need access to the raw message (if that is possible).
Unfortunately once the value is saved in graylog as “not json” there isn’t any way to parse it as json. More complex matching rules would be needed.
Hi @drewmiranda-gl
I can access to the raw message. Currently I added the json extractor in order to convert the text to json.
So you suggest me to use the flatten_json instead?
Can I ask you a snippet in order to understand how use it?
Maybe: let new_fields= flatten_json(to_string($message.message), "OPTION_FLATTEN"); set_fields(new_fields);
Here is an example i use. Change the criteria to suite your needs.
rule "PARES flatten json"
when
true
then
let rsJson = flatten_json(
value: to_string($message.message),
array_handler: "flatten"
);
set_fields(to_map(rsJson), "json_");
end
See here for available options for the array_handler property.
Note that the text input MUST be valid json. You can use something like https://jsonlint.com/ to validate.