List of fields that hold the user name in Security and Complaince logs

Priyanka Mudunuri 1 Reputation point
2022-03-27T15:16:29.497+00:00

Hello Team

We have integrated O365 Azure General for our customers to monitor the logs through our SIEM solutions. During the monitoring phase of Security and compliance alerts from Azure General we have come up with couple of challenges. I have listed below the challenges along with sample examples we collected from our customers. Request you to please look into this and help us with the queries raised.

Issue 1 : Each alert from Security and Compliance has different fields capturing the user name involved in the activity. Few alerts have user name captured in “AlertEntityId” and few other alerts have user name in “f3u”, “trc”,”UserId” etc., We have to parse the username value to one of standard fields in our SIEM solution. Can you please let us know all the possible fields where the user name can be expected to be seen in the security and compliance alerts.

Here are few of the examples where user name is capturing in different fields

{"CreationTime":"2022-01-07T01:47:39","Id":"cannot be shared","Operation":"AlertTriggered","OrganizationId":"cannot be shared","RecordType":40,"ResultStatus":"Succeeded","UserKey":"SecurityComplianceAlerts","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"cannot be shared","UserId":"SecurityComplianceAlerts","AlertId":"9a65d670-2e44-d35d-0200-08d9d17f988c","AlertLinks":[{"AlertLinkHref":""}],"AlertType":"System","Category":"ThreatManagement","Comments":"New alert","Data":{"f3u":test@keyman .com,"ts":"2022-01-07T01:46:00.0000000Z","te":"2022-01-07T01:47:00.0000000Z","op":"eDiscoverySearchStartedOrExported","wl":"SecurityComplianceCenter","tid":"cannot be shared","tdc":"1","reid":"cannot be shared","rid":"cannot be shared","cid":"cannot be shared","ad":"The alert is triggered when users start content searches or eDiscovery searches or when search results are downloaded or exported -V1.0.0.1","lon":"eDiscoverySearchStartedOrExported","an":"eDiscovery search started or exported","sev":"Informational"},"Name":"eDiscovery search started or exported","PolicyId":"cannot be shared","Severity":"Informational","Source":"Office 365 Security & Compliance","Status":"Active"

Example: 2
{"CreationTime":"2022-01-07T10:33:01","Id":"Cannot be shared","Operation":"AlertEntityGenerated","OrganizationId":"Cannot be shared","RecordType":40,"ResultStatus":"Succeeded","UserKey":"SecurityComplianceAlerts","UserType":4,"Version":1,"Workload":"SecurityComplianceCenter","ObjectId":"Cannot be shared","UserId":"SecurityComplianceAlerts","AlertEntityId":"e23daf0d-d35d-472a-21af-08d9cf9b1333-4534686441061676516-1","cannot be shared","AlertLinks":[{"AlertLinkHref":""}],"AlertType":"System","Category":"ThreatManagement","Comments":"New alert","Data":{"etype":"MalwareFamily","at":"2022-01-07T10:30:12.2317606Z","md":"2022-01-04T15:58:44.0000000Z","sip":"X.X.X.X","ms":"John, Demo Vonage | Receive a JBL Charge 4 Waterproof Bluetooth Speaker","imsgid":"<0100017e25d05d3d-99c96535-9e78-4fb4-98c0-2e50a900657e-000000@tiedtlaw email .amazonses.com>","ttdt":"2022-01-07T10:30:12.2317606Z","ttr":"Success_MessageQuarantined","dm":"Campaign","eid":"e67adg1s-f89d-173a-13ed-04f8va3a2111-4534686441061676516-1","aii":"g45klj7f-f45u-376e-12fg-9089gr9b1333","thn":"Phish, Malicious","ts":"2022-01-07T10:29:12.2317606Z","te":"2022-01-07T10:31:12.2317606Z","fvs":"Filters","tpt":"HostedContentFilterPolicy","tpid":"d4y2c90c-2fce-4890f-a3e2-3f17896ba6889","tid":"4e123dd-a89c-23d1-9b45-abbab3596529","tht":"Phish, Malicious","trc":"test1@keyman .com","tsd":"test2@keyman .com"","tdc":"1","cpid":"CCG8G11D.F1RR4TY.4BE345D4.R0EF7865.200B2","lon":"Protection"},"EntityType":"MalwareFamily","Name":"Email messages from a campaign removed after delivery‚Äã","PolicyId":"c8522cbb-9368-4t56-4bb9-09d9d888dabc","Severity":"Informational","Source":"Office 365 Security & Compliance","Status":"Active"}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,774 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Roni RevealSecurity 1 Reputation point
    2022-08-08T14:41:49.73+00:00

    As far as I can tell from various 365 account I monitor:

    Data_f3u is your best bet for most events. It is the only indicator for actual username I found for the events:
    Operation=AlertTriggered
    Operation=AlertUpdated

    Bear in mind, it depends on the configuration of the alert itself. sometimes there will be no indication to a specific user, for example when an email is deemed malicious by the compliance center and is deleted without reaching a user mailbox.

    For Operation= AlertEntityGenerated, things get interesting. Data_trc indicates the RECEIVER of an email that triggered the alert, while Data_tsd indicates the sender.
    In some AlertEntityGenerated events, the actual username is indicated by ObjectId. I assume this applies to default rules offered by 365, like "creation of forwarding/redirect rule" alert - but not sure of it yet.

    Would like to hear if you found any useful insights, as I also struggle with these issues.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.