Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing Microsoft 365 multiline JSON logs parsing #316

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Fixing Microsoft 365 multiline JSON logs parsing #316

wants to merge 2 commits into from
+10 −2

Conversation

BrianMer
Copy link

Hi,

Idk if this pull request can be related to issue #285, but I think I fixed multiline JSON array logs for M365 UAL parsing problem.

Here is a sample (anonymised), if you want to test it by yourself:

[
{
"CreationTime": "2023-05-31T22:52:10",
"Operation": "FileAccessed",
"UserId": "app@sharepoint",
"ClientIP": "1.2.3.4",
"ObjectId": "https://anon.sharepoint.com/sites/folder/anon.aspx",
"EventSource": "SharePoint",
"UserAgent": "ISV|Veeam Software|Veeam Backup for Office 365/5.0",
"SourceFileExtension": "aspx"
},
{
"CreationTime": "2023-05-31T22:52:10",
"Operation": "FileAccessed",
"UserId": "app@sharepoint",
"ClientIP": "1.2.3.4",
"ObjectId": "https://anon.sharepoint.com/sites/folder/anonymous.aspx",
"EventSource": "SharePoint",
"UserAgent": "ISV|Veeam Software|Veeam Backup for Office 365/5.0",
"SourceFileExtension": "aspx"
},
{
"CreationTime": "2023-05-31T21:52:09",
"Operation": "FileAccessed",
"UserId": "app@sharepoint",
"ClientIP": "1.2.3.4",
"ObjectId": "https://anon.sharepoint.com/sites/folder/anony.aspx",
"EventSource": "SharePoint",
"UserAgent": "ISV|Veeam Software|Veeam Backup for Office 365/5.0",
"SourceFileExtension": "aspx"
}
]

Thanks!

@philhagen
Copy link
Owner

thank you! reviewing this in conjunction with some other sample data and the Invictus folks WRT their tool output.

@philhagen
Copy link
Owner

I'm about to send a testing VM to a small group of people for validation. if you are interested, @BrianMer, please send me an email: Phil at lewestech dot com. while I have not yet integrated this PR, it would be done on that branch.

can you share which tool/workflow are you using that generated this JSON in multiline format? so far, I haven't been able to identify a source that does and all UAL test data I've used so far is in "ndjson" format (albeit with a .json extension).

@BrianMer
Copy link
Author

Hi @philhagen, I'm going to send you a mail for testing the VM, thank you for the proposition!

In fact, the sample that I shared with you is a CSV converted into JSON by a homemade Python script, and I didn't know that it was ndjson format ; I didn't have any other sample in the correct "ndjson" format to test with.

But I tested again by converting the CSV into "ndjson" format, and it is still working.

I hope it is still working as well on your side.

@philhagen
Copy link
Owner

I suspect this may be an artifact of how the logs are retrieved. The workflow we've built around is from FOR509, which uses the PowerShell Search-UnifiedAuditLog command. This is used behind the scenes when running the Invictus Microsoft Extractor Suite tool. I'm still testing a few things, but I suspect it's a formatting issue. while it's not parsing for some reason that I'm tracking down now, the entries above would need to be represented like the following in the input file:

{"CreationTime":"2023-05-31T22:52:10","Operation":"FileAccessed","UserId":"app@sharepoint","ClientIP":"1.2.3.4","ObjectId":"https://anon.sharepoint.com/sites/folder/anon.aspx","EventSource":"SharePoint","UserAgent":"ISV|Veeam Software|Veeam Backup for Office 365/5.0","SourceFileExtension":"aspx"}
{"CreationTime":"2023-05-31T22:52:10","Operation":"FileAccessed","UserId":"app@sharepoint","ClientIP":"1.2.3.4","ObjectId":"https://anon.sharepoint.com/sites/folder/anonymous.aspx","EventSource":"SharePoint","UserAgent":"ISV|Veeam Software|Veeam Backup for Office 365/5.0","SourceFileExtension":"aspx"}
{"CreationTime":"2023-05-31T21:52:09","Operation":"FileAccessed","UserId":"app@sharepoint","ClientIP":"1.2.3.4","ObjectId":"https://anon.sharepoint.com/sites/folder/anony.aspx","EventSource":"SharePoint","UserAgent":"ISV|Veeam Software|Veeam Backup for Office 365/5.0","SourceFileExtension":"aspx"}

@BrianMer
Copy link
Author

I retested by copying/pasting exactly what you gave me, and it is working on my side, have a look :
image
image

@philhagen
Copy link
Owner

FWIW, I was able to parse these records when in ndjson form using the pending release of the VM mentioned above. there is currently a blocker (upstream from filebeat) that I have to clear before the testing VM can be released but the parser does generally handle these log entries. We may want to customize those somewhat but that is pretty straightforward and will be part of the testing process that I'll send out with the VM when it's ready.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BrianMer @philhagen