From 6eb411fd6663039b3b42f7acbd692f8c2edd2ab6 Mon Sep 17 00:00:00 2001 From: Chris Berkhout Date: Fri, 31 Jan 2025 15:09:32 +1100 Subject: [PATCH] [o365] Static fields for use by security rules (#12545) Our security rules[1] use fields in `o365.audit.*`, some of which are dynamic fields. When the `total_fields` limit is reached, additional dynamic fields will be ignored, which can interfere with execution of the rules. This change adds static field definitions as necessary to never ignore fields used by the security rules. [1]: https://github.com/elastic/integrations/tree/main/packages/security_detection_engine/kibana/security_rule --- packages/o365/changelog.yml | 5 +++++ .../o365/data_stream/audit/fields/fields.yml | 18 ++++++++++++++++++ packages/o365/docs/README.md | 9 +++++++++ packages/o365/manifest.yml | 2 +- 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index bcfd26d6b6a..05315f40b3a 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.9.0" + changes: + - description: Static fields for use by security rules. + type: enhancement + link: https://github.com/elastic/integrations/pull/12545 - version: "2.8.1" changes: - description: Silence absent URL complaints in debug logs. diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml index 6f0b7013038..904f2a980f1 100644 --- a/packages/o365/data_stream/audit/fields/fields.yml +++ b/packages/o365/data_stream/audit/fields/fields.yml @@ -219,6 +219,8 @@ object_type_mapping_type: '*' - name: Experience type: keyword + - name: ExtendedProperties.RequestType + type: keyword - name: ExtendedProperties.* type: object object_type: keyword @@ -275,6 +277,8 @@ type: keyword - name: Members type: flattened + - name: ModifiedProperties.Role_DisplayName.NewValue + type: keyword - name: ModifiedProperties.*.* type: object object_type: keyword @@ -303,6 +307,20 @@ type: keyword - name: OriginatingServer type: keyword + - name: Parameters.AccessRights + type: keyword + - name: Parameters.AllowFederatedUsers + type: keyword + - name: Parameters.AllowGuestUser + type: keyword + - name: Parameters.Enabled + type: keyword + - name: Parameters.ForwardAsAttachmentTo + type: keyword + - name: Parameters.ForwardTo + type: keyword + - name: Parameters.RedirectTo + type: keyword - name: Parameters.* type: object object_type: keyword diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index da7ae91621f..0629e442515 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -291,6 +291,7 @@ An example event for `audit` looks as following: | o365.audit.ExchangeMetaData.UniqueID | | keyword | | o365.audit.Experience | | keyword | | o365.audit.ExtendedProperties.\* | | object | +| o365.audit.ExtendedProperties.RequestType | | keyword | | o365.audit.ExternalAccess | | boolean | | o365.audit.FileSizeBytes | | long | | o365.audit.GroupName | | keyword | @@ -316,6 +317,7 @@ An example event for `audit` looks as following: | o365.audit.MailboxOwnerUPN | | keyword | | o365.audit.Members | | flattened | | o365.audit.ModifiedProperties.\*.\* | | object | +| o365.audit.ModifiedProperties.Role_DisplayName.NewValue | | keyword | | o365.audit.Name | | keyword | | o365.audit.NewValue | | keyword | | o365.audit.ObjectDisplayName | | keyword | @@ -328,6 +330,13 @@ An example event for `audit` looks as following: | o365.audit.OrganizationName | | keyword | | o365.audit.OriginatingServer | | keyword | | o365.audit.Parameters.\* | | object | +| o365.audit.Parameters.AccessRights | | keyword | +| o365.audit.Parameters.AllowFederatedUsers | | keyword | +| o365.audit.Parameters.AllowGuestUser | | keyword | +| o365.audit.Parameters.Enabled | | keyword | +| o365.audit.Parameters.ForwardAsAttachmentTo | | keyword | +| o365.audit.Parameters.ForwardTo | | keyword | +| o365.audit.Parameters.RedirectTo | | keyword | | o365.audit.Platform | | keyword | | o365.audit.PolicyDetails | | flattened | | o365.audit.PolicyId | | keyword | diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 76740d7a7ef..be7fb2f77f9 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft Office 365 -version: "2.8.1" +version: "2.9.0" description: Collect logs from Microsoft Office 365 with Elastic Agent. type: integration format_version: "3.0.2"