[ms:o365:reporting:messagetrace]
EXTRACT-o365_message_trace_SenderDomain = "SenderAddress\"\:\s\"[^\@]+\@(?<SenderDomain>\S+)\"
EXTRACT-o365_message_trace_RecipientDomain = "RecipientAddress\"\:\s\"[^\@]+\@(?<RecipientDomain>\S+)\"

[o365:management:activity]
REPORT-nameval = NameValue
REPORT-site-extraction = SiteName
FIELDALIAS-Operationsignature = "Operation " ASNEW signature
FIELDALIAS-LogonErrorreason = LogonError ASNEW reason
FIELDALIAS-Workloadapp = Workload ASNEW app
LOOKUP-AuditLogRecordTypes = AuditLogRecordType Value AS RecordType OUTPUTNEW
LOOKUP-AzureADAuthMethods = AzureADAuthenticationMethods RecordTypeName AS RecordTypeName Value AS "UserAuthenticationMethod " OUTPUTNEW
LOOKUP-LoginUserType = UserType Value AS "UserType " OUTPUTNEW

[graphapi:azure]
DATETIME_CONFIG = 
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = createdDateTime
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%Q
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true

[o365:cloudsecurity:alerts]
DATETIME_CONFIG = 
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Custom
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true

[UserAgent]
FIELDALIAS-UserAgent = UserAgent ASNEW user_agent