M365 UAL JSON Logs Not Parsed

[joshlemon]

The M365 UAL JSON output from this tool (https://github.com/invictus-ir/Microsoft-Extractor-Suite) is not parsed correctly by the M365 parser in SOF-ELK.

FYI @invictus-ir @Pierre450

I'll also try to take a look at this and see if I can find out why it's not work too.

[nightly-nessie]

Hi Josh, you may take a look at #264 , not sure if the fix would cover the changes (if any) happened over time

[Pierre450]

The parser works in VM v20230529 but I confirmed that it's broken in v20230623. Phil is aware and will look at it when he has time.

[joshlemon]

The TCERT log collected works (although you have ti fix all the library dependencies), just not the Microsoft-Extractor-Suite

[marcottedan]

The https://github.com/invictus-ir/Microsoft-Extractor-Suite generates UTF-16 encoded json files. This can be the problem.

[philhagen]

@joshlemon can you please send me a sample for this? I now have cycles to get this figured out. DM is fine of course.

[philhagen]

I've tested the parser on feature/ecs on a bunch of private sample data from @invictus-ir and with the usual exceptions of a very small number of inconsistent fields/data types, all seems to be working now. There was no BOM on the source data Korstiaan provided, so I am hopeful that possible edge case has been addressed upstream. I'm moving this one to "awaiting-validation" and it should see release (and issue close) with the next version

[philhagen]

I'm about to send a VM configured for testing this update and a TON of other changes to a small group. @marcottedan if you are interested in giving it a try, please send me an email: Phil at lewestech dot com.