You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.4 KiB
40 lines
1.4 KiB
[ms:o365:reporting:messagetrace]
|
|
EXTRACT-o365_message_trace_SenderDomain = "SenderAddress\"\:\s\"[^\@]+\@(?<SenderDomain>\S+)\"
|
|
EXTRACT-o365_message_trace_RecipientDomain = "RecipientAddress\"\:\s\"[^\@]+\@(?<RecipientDomain>\S+)\"
|
|
|
|
[o365:management:activity]
|
|
REPORT-nameval = NameValue
|
|
REPORT-site-extraction = SiteName
|
|
FIELDALIAS-Operationsignature = "Operation " ASNEW signature
|
|
FIELDALIAS-LogonErrorreason = LogonError ASNEW reason
|
|
FIELDALIAS-Workloadapp = Workload ASNEW app
|
|
LOOKUP-AuditLogRecordTypes = AuditLogRecordType Value AS RecordType OUTPUTNEW
|
|
LOOKUP-AzureADAuthMethods = AzureADAuthenticationMethods RecordTypeName AS RecordTypeName Value AS "UserAuthenticationMethod " OUTPUTNEW
|
|
LOOKUP-LoginUserType = UserType Value AS "UserType " OUTPUTNEW
|
|
|
|
[graphapi:azure]
|
|
DATETIME_CONFIG =
|
|
INDEXED_EXTRACTIONS = json
|
|
KV_MODE = none
|
|
LINE_BREAKER = ([\r\n]+)
|
|
NO_BINARY_CHECK = true
|
|
TIMESTAMP_FIELDS = createdDateTime
|
|
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%Q
|
|
category = Structured
|
|
description = JavaScript Object Notation format. For more information, visit http://json.org/
|
|
disabled = false
|
|
pulldown_type = true
|
|
|
|
[o365:cloudsecurity:alerts]
|
|
DATETIME_CONFIG =
|
|
INDEXED_EXTRACTIONS = json
|
|
KV_MODE = none
|
|
LINE_BREAKER = ([\r\n]+)
|
|
NO_BINARY_CHECK = true
|
|
category = Custom
|
|
description = JavaScript Object Notation format. For more information, visit http://json.org/
|
|
disabled = false
|
|
pulldown_type = true
|
|
|
|
[UserAgent]
|
|
FIELDALIAS-UserAgent = UserAgent ASNEW user_agent |