Skip to main content

Hello folks,

 

I’m a newbie and almost know nothing about coding 😓

I was playing with the Parser Extension and bummer, none of it working 🤢

Is anyone here can shed some light to write me a working Parser Extension based on “Office 365” prebuilt parser with the sample RAW log as below?

My objective is to map the "AttachmentDetails" which include the labels, Name and Size to the additional fields or any relevant fields that fit:

 

{

  "CreationTime": "2025-01-30T13:44:55",

  "ExchangeMetaData": {

    "AttachmentDetails":

      {

        "Labels":

          "aaaaaaa-bbbb-ccc-dddd-eeeeeeeeeeee"

        ],

        "Name": "TestFile1.xlsx",

        "Size": 45682

      },

      {

        "Labels": ],

        "Name": "Burger.pdf",

        "Size": 555555

      },

      {

        "Labels": 🙂,

        "Name": "picture.jpg",

        "Size": 120456

      },

      {

        "Labels": "

          "aaaaaaa-bbbb-ccc-dddd-eeeeeeeeeeee"

        ],

        "Name": "List.csv",

        "Size": 12345

      }

    ],

    "BCC": ],

    "CC": -],

    "FileSize": 200000,

    "From": "ABC@sample.com",

    "IsViewableByExternalUsers": true,

    "MessageID": "\u007bABCDEFG1234567@ABCDEFG.GBRP512.PROD.OUTLOOK.COM\u007a",

    "RecipientCount": 1,

    "SensitivityLabelIds": o

      "1234567-1234-1234-1234-123456789aaa",

      "aaaaaaa-bbbb-ccc-dddd-eeeeeeeeeeee"

    ],

    "SensitivityLabelNames": C

      "Galaxy Movie",

      "Shared"

    ],

    "Sent": "2025-01-30T13:44:00",

    "Subject": "Test Email",

    "To":

      "DEF@test.com"

    ],

    "UniqueID": "7654321-1234-1234-1234-123456789aaa"

  },

  "Id": "abcdefg-1234-1234-1234-123456789aaa",

  "IncidentId": "gfedcba-1234-1234-1234-123456789aaa",

  "ObjectId": "\u007bABCDEFG1234567@ABCDEFG.GBRP512.PROD.OUTLOOK.COM\u007a",

  "Operation": "MipLabel",

  "OrganizationId": "zzzzzzzz-1234-1234-1234-123456789aaa",

  "PolicyDetails": :

    {

      "PolicyId": "00000000-0000-0000-0000-000000000000",

      "Rules": e

        {

          "Actions": F],

          "ConditionsMatched": {

            "ConditionMatchedInNewScheme": true,

            "OtherConditions": 8

              {

                "Name": "SensitivityLabels",

                "Value": "Internal"

              }

            ]

          },

          "RuleId": "1234567-1234-1234-1234-123456789aaa",

          "RuleMode": "Enable",

          "RuleName": "Galaxy Movie",

          "Severity": "Low"

        }

      ]

    }

  ],

  "RecordType": 13,

  "SensitiveInfoDetectionIsIncluded": false,

  "UserId": "ABC@sample.com",

  "UserKey": "keyskeys-1234-1234-1234-123456789aaa",

  "UserType": 0,

  "Version": 1,

  "Workload": "Exchange"

}


Hi,

Since 365 logs are in JSON format, I recommend trying a simpler method.
Under SIEM Settings, navigate to Parsers and search for 365 as the log type.
Then, please choose "Extended Parser" → "Extract Additional Fields".
 


It will open a window where you can select the field you want to extract directly from the GUI.
Choose your field (AttachmentDetails) and click Save.


Hi,

Since 365 logs are in JSON format, I recommend trying a simpler method.
Under SIEM Settings, navigate to Parsers and search for 365 as the log type.
Then, please choose "Extended Parser" → "Extract Additional Fields".
 


It will open a window where you can select the field you want to extract directly from the GUI.
Choose your field (AttachmentDetails) and click Save.

Thanks for the reply, I have tried  the "Extract Additional Fields", but we have upcoming new unmapped RAW log fields that need to be mapped soon. 

 

Sadly, the Extract features only support up to 5 repeated fields 😣

 

And also, I have tried the “Extension Method > Map data fields” instead of “Write code snippet”, but I can’t seem like about to find a suitable repeated integer fields for the “Size”. But the “Name” can be mapped repeated as a string without error though with missing “Labels”.

 

Hopefully you can help me on the snippet side 😃

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.