Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Office 365 integration is missing awareness of additional Office 365 Audit API audit log record types #3380

Closed
colin-stubbs opened this issue May 19, 2022 · 2 comments
Closed

Office 365 integration is missing awareness of additional Office 365 Audit API audit log record types #3380

colin-stubbs opened this issue May 19, 2022 · 2 comments
Assignees
@efd6
Labels
8.4 candidate enhancement New feature or request Integration:o365 Microsoft Office 365

Comments

@colin-stubbs
Copy link
Contributor

colin-stubbs commented May 19, 2022
edited
Loading

Current map from o365audit.RecordType only maps up to 66 -> "MicrosoftForms"

Microsoft now defines audit log record types up to 148 as per: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32

A secondary issue is that the ingest pipeline for the integration only supports ECS mapping for a sub-set of record types, e.g.

  1. ExchangeAdmin ( 1 )
  2. ExchangeItem ( 2 )
  3. AzureActiveDirectory ( 8 )
  4. AzureActiveDirectoryStsLogon ( 15 )
  5. SharePointFileOperation ( 56 )
  6. SecurityComplianceAlerts ( 42 )
  7. ComplianceDLPSharePoint ( 11 )
  8. ComplianceDLPExchange ( 13 )
  9. Yammer ( 22 )
  10. MicrosoftTeams ( 25 )

There will be great value in also ensuring the following record types are mapped appropriately, particularly to trigger alerts in Elastic Security via the normal External Alerts rule when event.kind: alert is set.

This is primarily to support "Microsoft Defender for Office 365" , which IS NOT the same as Microsoft 365 Defender. Refer to: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/overview?view=o365-worldwide

Value Member name Description Do we have a sample yet?
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365. YES
29 MailSubmission Submission events from Exchange Online Protection and Microsoft Defender for Office 365. YES
34 ThreatFinder Campaign-related events from Microsoft Defender for Office 365. NO
41 ThreatIntelligenceUrl Safe links time-of-block and block override events from Microsoft Defender for Office 365. YES
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365. YES
61 InformationWorkerProtection Events related to compromised user alerts. NO
62 Campaign Email campaign events from Microsoft Defender for Office 365. NO
90 MSTIC Threat intelligence events in Microsoft Defender for Office 365. NO

The above, in some cases, MAY overlap with the Microsoft 365 Defender/ATP integration, however from what I've seen from live logs ingested via Microsoft 365 Defender/ATP integrations, they do not.
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added enhancement New feature or request 8.4-candidate Integration:o365 Microsoft Office 365 labels May 19, 2022
@efd6 efd6 self-assigned this Jun 27, 2022
@efd6 efd6 mentioned this issue Jun 27, 2022
Merged
4 tasks
@efd6 efd6 mentioned this issue Jul 6, 2022
Merged
6 tasks
@jamiehynds
Copy link

Closing, as the record types listed above are now supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
8.4 candidate enhancement New feature or request Integration:o365 Microsoft Office 365
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@colin-stubbs @elasticmachine @jamiehynds @efd6