Parsing o365.audit.Data filed for o365 Module

Hi folks,

I've had the o365 module for Filebeat working for a while. I've onboarded a new workload called:

o365.audit.Workload :"AirInvestigation"

The filed is composed of nested json objects just the same as the ExtendedProperties field.

Anyone know how to get this parsed correctly.

Thank you,

(Moving to the SIEM category as that Elastic team maintains this module).

Is it currently being ingested by the module?

Looking at the current content types we support it should grab these by default:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General
  • DLP.All

The module itself has some underlying javascript to preprocess some of the content like these nested objects most likely, but it kinda depends on how the data looks like.

Is it a list of JSON objects like

[{
  "investigation": "1",
 "details": "somedetails"
},
{
  "investigation": "2",
  "details": "someotherdetails"
}].

It depends on the data and what you want to do with it. For example if you only want to create an array of investigation details, let's say usernames, then you can use the foreach processor to run through the list of objects and append them to something, you can also modify it with a script processor depending on your knowledge of programming.

If you could share maybe a sample of the data and a bit on how you want it to look like in the end then I could maybe help you further.