Microsoft365 OperationProperties

gianluca-valentini · July 19, 2023, 1:35pm

Hi,
connecting to m364 audit log I can see a message that I work using a json extractor.
In the message there is a field OperationProperties that is a json

but if I look it on the console or in my custom rule is appear as e map toString value

is there a way to have the value as json (so that I can extract them and set the name and value as feild in the message)?

This is the extractor that I use in the 365 input

Can somebody help me?

drewmiranda-gl · July 19, 2023, 4:42pm

Are you using the Office 365 Integrations?

If you are you should also have access to they Office 365 Content Pack which is available to licensed customers.

gianluca-valentini · July 19, 2023, 4:46pm

Thanks @drewmiranda-gl for your answer.
No, i’m not using it.
The M365 log are sent to graylog using API and then, using logstash via UPD the messages are sent to graylog
I cannot acces directly to m365

Gianluca

drewmiranda-gl · July 19, 2023, 9:53pm

Do you have any raw message fields that are not being parsed? Graylog has a really useful flatten_json pipeline function but you’d need access to the raw message (if that is possible).

Unfortunately once the value is saved in graylog as “not json” there isn’t any way to parse it as json. More complex matching rules would be needed.

gianluca-valentini · July 20, 2023, 8:40am

Hi @drewmiranda-gl
I can access to the raw message. Currently I added the json extractor in order to convert the text to json.
So you suggest me to use the flatten_json instead?
Can I ask you a snippet in order to understand how use it?
Maybe:
let new_fields= flatten_json(to_string($message.message), "OPTION_FLATTEN"); set_fields(new_fields);

can be good for you?

drewmiranda-gl · July 20, 2023, 3:26pm

Here is an example i use. Change the criteria to suite your needs.

rule "PARES flatten json"
when
    true
then
    let rsJson = flatten_json(
        value: to_string($message.message),
        array_handler: "flatten"
    );
    set_fields(to_map(rsJson), "json_");
end

See here for available options for the array_handler property.

Note that the text input MUST be valid json. You can use something like https://jsonlint.com/ to validate.

Hope that helps.

gianluca-valentini · July 21, 2023, 3:45pm

Hi,
it works as I expected!!!
Thanks a lot

system · August 4, 2023, 3:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Microsoft365 ExtendedProperties Graylog Central (peer support) pipeline-rules , key_value	5	1167	December 29, 2022
Can't extract from JSON Graylog Central (peer support) pipeline-rules	5	1756	September 7, 2020
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5686	August 22, 2020
Extract Json via Pipeline Graylog Central (peer support)	6	1820	August 8, 2022
Pipeline Rule doesn't see extracted fields but only a few $message properties like $message.message and $message.level Graylog Central (peer support) pipeline-rules , debuggingpl	4	2223	November 29, 2017

Microsoft365 OperationProperties

Related Topics