Skip to content

Commit

Permalink
x-pack/filebeat/module/o365: add record types beyond 66 (#32217)
Browse files Browse the repository at this point in the history 
Types added from
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32
  • Loading branch information
@efd6 @chrisberkhout
efd6 authored and chrisberkhout committed Jun 1, 2023
1 parent 232761b commit dee75e5
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
- Add authentication fields to RabbitMQ module documents. {issue}31159[31159] {pull}31680[31680]
- Add template helper function for decoding hexadecimal strings. {pull}31886[31886]
- Add new `parser` called `include_message` to filter based on message contents. {issue}31794[31794] {pull}32094[32094]
- Extend list of mapped record types in o365 Audit module. {pull}32217[32217]

*Auditbeat*

Expand Down
62 changes: 62 additions & 0 deletions x-pack/filebeat/module/o365/audit/config/pipeline.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -784,41 +784,103 @@ function AuditProcessor(tenant_names, debug) {
4: 'SharePoint', // SharePoint events.
6: 'SharePointFileOperation', // SharePoint file operation events.
8: 'AzureActiveDirectory', // Azure Active Directory events.
7: 'OneDrive', // OneDrive for Business events.
9: 'AzureActiveDirectoryAccountLogon', // Azure Active Directory OrgId logon events (deprecating).
10: 'DataCenterSecurityCmdlet', // Data Center security cmdlet events.
11: 'ComplianceDLPSharePoint', // Data loss protection (DLP) events in SharePoint and OneDrive for Business.
12: 'Sway', // Events from the Sway service and clients.
13: 'ComplianceDLPExchange', // Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.
14: 'SharePointSharingOperation', // SharePoint sharing events.
15: 'AzureActiveDirectoryStsLogon', // Secure Token Service (STS) logon events in Azure Active Directory.
16: 'SkypeForBusinessPSTNUsage', // Public Switched Telephone Network (PSTN) events from Skype for Business.
17: 'SkypeForBusinessUsersBlocked', // Blocked user events from Skype for Business.
18: 'SecurityComplianceCenterEOPCmdlet', // Admin actions from the Security & Compliance Center.
19: 'ExchangeAggregatedOperation', // Aggregated Exchange mailbox auditing events.
20: 'PowerBIAudit', // Power BI events.
21: 'CRM', // Microsoft CRM events.
22: 'Yammer', // Yammer events.
23: 'SkypeForBusinessCmdlets', // Skype for Business events.
24: 'Discovery', // Events for eDiscovery activities performed by running content searches and managing eDiscovery cases in the Security & Compliance Center.
25: 'MicrosoftTeams', // Events from Microsoft Teams.
28: 'ThreatIntelligence', // Phishing and malware events from Exchange Online Protection and Office 365 Advanced Threat Protection.
29: 'MailSubmission', // Submission events from Exchange Online Protection and Microsoft Defender for Office 365.
30: 'MicrosoftFlow', // Microsoft Power Automate (formerly called Microsoft Flow) events.
31: 'AeD', // Advanced eDiscovery events.
32: 'MicrosoftStream', // Microsoft Stream events.
33: 'ComplianceDLPSharePointClassification', // Events related to DLP classification in SharePoint.
34: 'ThreatFinder', // Campaign-related events from Microsoft Defender for Office 365.
35: 'Project', // Microsoft Project events.
36: 'SharePointListOperation', // SharePoint List events.
37: 'SharePointCommentOperation', // SharePoint comment events.
38: 'DataGovernance', // Events related to retention policies and retention labels in the Security & Compliance Center
39: 'Kaizala', // Kaizala events.
40: 'SecurityComplianceAlerts', // Security and compliance alert signals.
41: 'ThreatIntelligenceUrl', // Safe links time-of-block and block override events from Office 365 Advanced Threat Protection.
42: 'SecurityComplianceInsights', // Events related to insights and reports in the Office 365 security and compliance center.
43: 'MIPLabel', // Events related to the detection in the Transport pipeline of email messages that have been tagged (manually or automatically) with sensitivity labels.
44: 'WorkplaceAnalytics', // Workplace Analytics events.
45: 'PowerAppsApp', // Power Apps events.
46: 'PowerAppsPlan', // Subscription plan events for Power Apps.
47: 'ThreatIntelligenceAtpContent', // Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Office 365 Advanced Threat Protection.
48: 'LabelContentExplorer', // Events related to data classification content explorer.
49: 'TeamsHealthcare', // Events related to the Patients application in Microsoft Teams for Healthcare.
50: 'ExchangeItemAggregated', // Events related to the MailItemsAccessed mailbox auditing action.
51: 'HygieneEvent', // Events related to outbound spam protection.
52: 'DataInsightsRestApiAudit', // Data Insights REST API events.
53: 'InformationBarrierPolicyApplication', // Events related to the application of information barrier policies.
54: 'SharePointListItemOperation', // SharePoint list item events.
55: 'SharePointContentTypeOperation', // SharePoint list content type events.
56: 'SharePointFieldOperation', // SharePoint list field events.
57: 'MicrosoftTeamsAdmin', // Teams admin events.
58: 'HRSignal', // Events related to HR data signals that support the Insider risk management solution.
59: 'MicrosoftTeamsDevice', // Teams device events.
60: 'MicrosoftTeamsAnalytics', // Teams analytics events.
61: 'InformationWorkerProtection', // Events related to compromised user alerts.
62: 'Campaign', // Email campaign events from Microsoft Defender for Office 365.
63: 'DLPEndpoint', // Endpoint DLP events.
64: 'AirInvestigation', // Automated incident response (AIR) events.
65: 'Quarantine', // Quarantine events.
66: 'MicrosoftForms', // Microsoft Forms events.
67: 'ApplicationAudit', // Application audit events.
68: 'ComplianceSupervisionExchange', // Events tracked by the Communication compliance offensive language model.
69: 'CustomerKeyServiceEncryption', // Events related to the customer key encryption service.
70: 'OfficeNative', // Events related to sensitivity labels applied to Office documents.
71: 'MipAutoLabelSharePointItem', // Auto-labeling events in SharePoint.
72: 'MipAutoLabelSharePointPolicyLocation', // Auto-labeling policy events in SharePoint.
73: 'MicrosoftTeamsShifts', // Teams Shifts events.
75: 'MipAutoLabelExchangeItem', // Auto-labeling events in Exchange.
76: 'CortanaBriefing', // Briefing email events.
78: 'WDATPAlerts', // Events related to alerts generated by Windows Defender for Endpoint.
82: 'SensitivityLabelPolicyMatch', // Events generated when the file labeled with a sensitivity label is opened or renamed.
83: 'SensitivityLabelAction', // Event generated when sensitivity labels are applied, updated, or removed from a file.
84: 'SensitivityLabeledFileAction', // Events generated when a file labeled with a sensitivity label is opened or renamed.
85: 'AttackSim', // Attack simulator events.
86: 'AirManualInvestigation', // Events related to manual investigations in Automated investigation and response (AIR).
87: 'SecurityComplianceRBAC', // Security and compliance RBAC events.
88: 'UserTraining', // Attack simulator training events in Microsoft Defender for Office 365.
89: 'AirAdminActionInvestigation', // Events related to admin actions in Automated investigation and response (AIR).
90: 'MSTIC', // Threat intelligence events in Microsoft Defender for Office 365.
91: 'PhysicalBadgingSignal', // Events related to physical badging signals that support the Insider risk management solution.
93: 'AipDiscover', // Azure Information Protection (AIP) scanner events.
94: 'AipSensitivityLabelAction', // AIP sensitivity label events.
95: 'AipProtectionAction', // AIP protection events.
96: 'AipFileDeleted', // AIP file deletion events.
97: 'AipHeartBeat', // AIP heartbeat events.
98: 'MCASAlerts', // Events corresponding to alerts triggered by Microsoft Cloud App Security.
99: 'OnPremisesFileShareScannerDlp', // Events related to scanning for sensitive data on file shares.
100: 'OnPremisesSharePointScannerDlp', // Events related to scanning for sensitive data in SharePoint.
101: 'ExchangeSearch', // Events related to using Outlook on the web (OWA) to search for mailbox items.
102: 'SharePointSearch', // Events related to searching an organization's SharePoint home site.
103: 'PrivacyInsights', // Privacy insight events.
105: 'MyAnalyticsSettings', // MyAnalytics events.
106: 'SecurityComplianceUserChange', // Events related to modifying or deleting a user.
107: 'ComplianceDLPExchangeClassification', // Exchange DLP classification events.
109: 'MipExactDataMatch', // Exact Data Match (EDM) classification events.
113: 'MS365DCustomDetection', // Events related to custom detection actions in Microsoft 365 Defender.
147: 'CoreReportingSettings', // Reports settings events.
148: 'ComplianceConnector', // Events related to importing non-Microsoft data using data connectors in the Microsoft Purview compliance portal.
174: 'DataShareOperation', // Events related to sharing of data ingested via SystemSync.
181: 'EduDataLakeDownloadOperation', // Events related to the export of SystemSync ingested data from the lake.
},
}));

Expand Down

0 comments on commit dee75e5

Please sign in to comment.