Hello Team
We have integrated O365 Azure General for our customers to monitor the logs through our SIEM solutions. During the monitoring phase of Security and compliance alerts from Azure General we have come up with couple of challenges. I have listed below the challenges along with sample examples we collected from our customers. Request you to please look into this and help us with the queries raised.
Issue 1 : Each alert from Security and Compliance has different fields capturing the user name involved in the activity. Few alerts have user name captured in “AlertEntityId” and few other alerts have user name in “f3u”, “trc”,”UserId” etc., We have to parse the username value to one of standard fields in our SIEM solution. Can you please let us know all the possible fields where the user name can be expected to be seen in the security and compliance alerts.
Here are few of the examples where user name is capturing in different fields
{"CreationTime":"2022-01-07T01:47:39","Id":"cannot be shared","Operation":"AlertTriggered","OrganizationId":"cannot be shared","RecordType":40,"ResultStatus":"Succeeded","UserKey":"SecurityComplianceAlerts","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cannot be shared","UserId":"SecurityComplianceAlerts","AlertId":"9a65d670-2e44-d35d-0200-08d9d17f988c","AlertLinks":[{"AlertLinkHref":""}],"AlertType":"System","Category":"ThreatManagement","Comments":"New alert","Data":{"f3u":test@keyman .com,"ts":"2022-01-07T01:46:00.0000000Z","te":"2022-01-07T01:47:00.0000000Z","op":"eDiscoverySearchStartedOrExported","wl":"SecurityComplianceCenter","tid":"cannot be shared","tdc":"1","reid":"cannot be shared","rid":"cannot be shared","cid":"cannot be shared","ad":"The alert is triggered when users start content searches or eDiscovery searches or when search results are downloaded or exported -V1.0.0.1","lon":"eDiscoverySearchStartedOrExported","an":"eDiscovery search started or exported","sev":"Informational"},"Name":"eDiscovery search started or exported","PolicyId":"cannot be shared","Severity":"Informational","Source":"Office 365 Security & Compliance","Status":"Active"
Example: 2
{"CreationTime":"2022-01-07T10:33:01","Id":"Cannot be shared","Operation":"AlertEntityGenerated","OrganizationId":"Cannot be shared","RecordType":40,"ResultStatus":"Succeeded","UserKey":"SecurityComplianceAlerts","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"Cannot be shared","UserId":"SecurityComplianceAlerts","AlertEntityId":"e23daf0d-d35d-472a-21af-08d9cf9b1333-4534686441061676516-1","cannot be shared","AlertLinks":[{"AlertLinkHref":""}],"AlertType":"System","Category":"ThreatManagement","Comments":"New alert","Data":{"etype":"MalwareFamily","at":"2022-01-07T10:30:12.2317606Z","md":"2022-01-04T15:58:44.0000000Z","sip":"X.X.X.X","ms":"John, Demo Vonage | Receive a JBL Charge 4 Waterproof Bluetooth Speaker","imsgid":"<0100017e25d05d3d-99c96535-9e78-4fb4-98c0-2e50a900657e-000000@tiedtlaw email .amazonses.com>","ttdt":"2022-01-07T10:30:12.2317606Z","ttr":"Success_MessageQuarantined","dm":"Campaign","eid":"e67adg1s-f89d-173a-13ed-04f8va3a2111-4534686441061676516-1","aii":"g45klj7f-f45u-376e-12fg-9089gr9b1333","thn":"Phish, Malicious","ts":"2022-01-07T10:29:12.2317606Z","te":"2022-01-07T10:31:12.2317606Z","fvs":"Filters","tpt":"HostedContentFilterPolicy","tpid":"d4y2c90c-2fce-4890f-a3e2-3f17896ba6889","tid":"4e123dd-a89c-23d1-9b45-abbab3596529","tht":"Phish, Malicious","trc":"test1@keyman .com","tsd":"test2@keyman .com"","tdc":"1","cpid":"CCG8G11D.F1RR4TY.4BE345D4.R0EF7865.200B2","lon":"Protection"},"EntityType":"MalwareFamily","Name":"Email messages from a campaign removed after delivery‚Äã","PolicyId":"c8522cbb-9368-4t56-4bb9-09d9d888dabc","Severity":"Informational","Source":"Office 365 Security & Compliance","Status":"Active"}