Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Exchange Security Insights On-Premise Parser Does not Pick Up All Data
Describe the bug Hi, the parse for the Exchange Security Insights Online connector misses out valuable fields
To Reproduce Steps to reproduce the behavior:
Go to LAW and open Logs Search the table ESIExchangeConfig_CL View the logs in RawData column, we see that the logs within here are not parsed: ESIExchangeConfig_CL
Example: {"Parentgroup":"Exchange Windows Permissions","Level":1,"ObjectClass":"group","MemberPath":"Exchange Windows Permissions\Exchange Trusted Subsystem","ObjectGuid":"XXXX","Members":[{"SamAccountName":"REDACTED$","SID":"S-1-5-21-1310785037-698004181-1737509496-82221","DistinguishedName":"CN=REDACTED,OU=Member,OU=Server,OU=Company,DC=sys,DC=net","Name":"REDACTED","ObjectClass":"computer","ObjectGuid":"REDACTED","PropertyNames":"distinguishedName name objectClass objectGUID SamAccountName SID","AddedProperties":"","RemovedProperties":"","ModifiedProperties":"","PropertyCount":6,"distinguishedName":"CN=REDACTED,OU=Member,OU=Server,OU=Company,DC=sys,DC=net","name":"WEXCHG005760","objectClass":"computer","objectGUID":"55a37265-06cb-4082-b4ab-cab00f32e568"},{"SamAccountName":"REDACTED$","SID":"S-1-5-21-1310785037-698004181-1737509496-83666","DistinguishedName":"CN=WEXCHG005759,OU=Member,OU=Server,OU=Company,DC=sys,DC=net","Name":"REDACTED","ObjectClass":"computer","ObjectGuid":"cfb3b172-0d60-4879-b655-0658490a694f","PropertyNames":"distinguishedName name objectClass objectGUID SamAccountName SID","AddedProperties":"","RemovedProperties":"","ModifiedProperties":"","PropertyCount":6,"distinguishedName":"CN=REDACTED,OU=Member,OU=Server,OU=Company,DC=sys,DC=net","name":"WEXCHG005759","objectClass":"computer","objectGUID":"cfb3b172-0d60-4879-b655-0658490a694f"}],"LastLogon":null,"LastPwdSet":null,"Enabled":null,"HasMbx":null,"SamAccountName":null,"CanonicalName":null,"UserPrincipalName":null,"DN":"CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=sys,DC=net","LastLogonString":null,"LastPwdSetString":null}
I have already sent an export that you can analyse the raw data from to parse what is not already parsed.
Expected behavior All data in the RAW data column should be correctly parsed and presented as a column in the log results.
Hi @NickNicolaou2129 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 28Feb2024. Thanks!
Hi @NickNicolaou2129, We are still checking on this issue, once it gets done will update you. Thanks!
Hi @NickNicolaou2129 , The following is the status
- Initial analysis done
- Data ingestion completed
- Parser changes completed
- Working on testing will update you
Hi @NickNicolaou2129 ,Still need some more time for testing the parser with initial data
Hi @v-muuppugund , any news?
Hi @NickNicolaou2129 ,Working on testing,Will update you
Hi @v-muuppugund , any news?
Hi @NickNicolaou2129 ,Working on testing,Will update you
Hi @NickNicolaou2129 ,will share the parser in a day or 2 days
Hi @NickNicolaou2129 ,As disucssed yesterday, tested the parser and changes,working on PR,will update you
Hi @NickNicolaou2129, we have raised the PR with the enhancements. The changes will be reflected once the PR is merged. PR link - #10020
Thank you for your cooperation.
Hi @NickNicolaou2129, we have raised the PR with the enhancements. The changes will be reflected once the PR is merged. PR link - #10020
Thank you for your cooperation.