Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Exchange Security Insights Online Parser Does not Pick Up All Data

Open NickNicolaou2129 opened this issue 1 year ago • 4 comments

Describe the bug Hi, the parse for the Exchange Security Insights Online connector misses out valuable fields

To Reproduce Steps to reproduce the behavior:

  1. Go to LAW and open Logs
  2. Search the table ESIExchangeOnlineConfig_CL
  3. View the logs in RawData column, we see that the logs within here are not parsed: ESIExchangeOnlineConfig_CL

Example: {"RoleGroup":"TenantAdmins_af308","Identity":"VALUE","DisplayName":"Surname Name (VALUE)","RecipientType":"UserMailbox","WhenCreated":"/Date(1591385292000)/","WhenChanged":"/Date(1708331006000)/"}

I have already sent an export that you can analyse the raw data from to parse what is not already parsed.

Expected behavior All data in the RAW data column should be correctly parsed and presented as a column in the log results.

NickNicolaou2129 avatar Feb 20 '24 09:02 NickNicolaou2129

Hi @NickNicolaou2129 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 27Feb2024. Thanks!

v-muuppugund avatar Feb 20 '24 10:02 v-muuppugund

Hi @NickNicolaou2129 ,Working on data ingestion ,will post frequent updates over teams the status and will update you

v-muuppugund avatar Feb 28 '24 01:02 v-muuppugund

Hi @NickNicolaou2129 ,The following is the status

  • Completed initial analysis
  • Data ingestion completed
  • Working on changes
  • Once done will post updates

v-muuppugund avatar Mar 12 '24 02:03 v-muuppugund

Hi @NickNicolaou2129 ,The following is the status,will update you

  • Completed the changes
  • Working on testing

v-muuppugund avatar Mar 15 '24 04:03 v-muuppugund

Hi @v-muuppugund , any news?

NickNicolaou2129 avatar Mar 28 '24 10:03 NickNicolaou2129

Hi @NickNicolaou2129 ,Still need some more time for testing,will post updates by next week

v-muuppugund avatar Mar 28 '24 11:03 v-muuppugund

Hi @NickNicolaou2129 ,Will be sharing parser today eod ,we can have a call for the discussion

v-muuppugund avatar Apr 05 '24 04:04 v-muuppugund

Hi @NickNicolaou2129 ,Will be sharing parser today eod ,we can have a call for the discussion

Hi @NickNicolaou2129 ,Shared the parser over an email and let me know if you have any issues.

v-muuppugund avatar Apr 06 '24 14:04 v-muuppugund

Hi @NickNicolaou2129 ,As discussed yesterday,,working on PR for these changes,will update you

v-muuppugund avatar Apr 11 '24 23:04 v-muuppugund

Hi @NickNicolaou2129, we have raised the PR with the enhancements. The changes will be reflected once the PR is merged. PR link - https://github.com/Azure/Azure-Sentinel/issues/10020

Thank you for your cooperation.

v-muuppugund avatar Apr 15 '24 11:04 v-muuppugund