Comments (4)
Great question, @ion-storm - the answer is "not yet" because we hadn't imported the script
processor from libbeat until you brought this up.
I just pushed 9f1646f which imports that processor, and an example processor that does what you're asking in o365beat.dev.yml
. In short, you can do the following:
processors:
- script:
when:
or:
- has_fields: ['Parameters']
- has_fields: ['ExtendedProperties']
lang: javascript
id: name_value_array_parser
source: >
function process(event){
var processed = event.Get('processed') || {};
var parameters = event.Get('Parameters')
if(!!parameters && !!parameters.length){
processed.Parameters = processed.Parameters || {};
for(var i = 0; i < parameters.length; i++){
var p = parameters[i];
if(p.Name) processed.Parameters[p.Name] = p.Value;
}
}
var extendedProperties = event.Get('ExtendedProperties')
if(!!extendedProperties && !!extendedProperties.length){
processed.ExtendedProperties = processed.ExtendedProperties || {};
for(var i = 0; i < extendedProperties.length; i++){
var p = extendedProperties[i];
if(p.Name) processed.ExtendedProperties[p.Name] = p.Value;
}
}
event.Put('processed', processed);
}
This will create a field called "processed" with sub-fields for Parameters and ExtendedProperties, both of which contain an array of name-value pairs. It loops through those pairs and uses the names as keys, so
"ExtendedProperties": [{"Name":"UserAgent","Value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"},{"Name":"UserAuthenticationMethod","Value":"12"},{"Name":"RequestType","Value":"OAuth2:Authorize"},{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"KeepMeSignedIn","Value":"False"}]
becomes
"processed":{"ExtendedProperties":{"UserAuthenticationMethod":"12","RequestType":"OAuth2:Authorize","ResultStatusDetail":"Success","KeepMeSignedIn":"False","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"}}
A few caveats:
- This isn't part of a release yet, though it should be very soon - you won't be able to use it without building from source
- Duplicate keys will be overwritten by the last in the array
- I have no idea the performance implications of this in production - caveat emptor
I'll close this issue when I've rolled this into a release. Thank you for the issue!
from o365beat.
FYI: the script processor is powerful but it only supports ecmascript 5.1 (via https://github.com/dop251/goja) so you don't get things like ES6 arrow functions or Array.forEach
. Again, not sure about performance implications in your specific circumstance.
from o365beat.
Also, working through this I noticed that when ExtendedProperties
and Parameters
are converted to strings using the convert
processor, it doesn't serialize them into json - it gets close, but the string output is missing commas between objects in an array. We'll need better serialization there if people are going to try to parse those fields on the server side without undo hassle.
from o365beat.
Included in release v1.5.1, along with docs in the README.
from o365beat.
Related Issues (20)
- Exiting: error loading config file: yaml: line 2: did not find expected node content HOT 5
- Understanding Authentication Data HOT 4
- visualization not working HOT 5
- Client.Timeout for Exchange/General/Sharepoint HOT 6
- Docker Instructions HOT 3
- Preventing Duplicate Events HOT 4
- Dashboard and visualizations not working - error with fields.keyword HOT 5
- Logstash connection errors HOT 7
- o365 audit.exchange not returning threat audit logs HOT 3
- WARN beater/o365beat.go:249 start XX must be <=YY hrs ago, resetting HOT 3
- Live Realoding Credentials HOT 2
- Proxy support for the API requests HOT 1
- Certificate signed by unknown authority message HOT 2
- AzureActiveDirectory Logs not pulled HOT 3
- Log content changed recently?
- GCC High no available content locations: HOT 1
- Tenant ID not found
- Does O365beat support multiple Office 365 tenants scenario
- Log file is not getting created
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from o365beat.