Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Microsoft 365] Pipeline failure resulting in incorrect root-level fields #9920

Open
jvalente-salemstate opened this issue May 20, 2024 · 1 comment
Open

[Microsoft 365] Pipeline failure resulting in incorrect root-level fields #9920

jvalente-salemstate opened this issue May 20, 2024 · 1 comment
Labels
bug Something isn't working Integration:o365 Team:Security-Service Integrations Security Service Integrations Team

Comments

@jvalente-salemstate
Copy link

jvalente-salemstate commented May 20, 2024
edited

This looks like it was introduced in v2.0.0 or v2.1.0 as this only began showing in mid January. See #8571 and #8803 for the changes in the specific PR.

Almost entirely, this occurs to o365.audit.record.type: 64, for Automated Investigation & Response (AIR) events. When the pipeline fails, it does not continue to rename fields nested under o365audit to o365.audit and these events will not match under any queries for those fields.

Many events do end up parsing correctly, but I've got roundly 9200 since January 22nd with an error.message that initially contained:

Duplicate field 'QueryTime' at [Source: (org.elasticsearch.common.io.stream.ByteBufferStreamInput); line: x, column: y]

At some point after, this became:

//Duplicate field 'QueryTime' at [Source (String)"
{
  "Version": "3.0",
  "VendorName": "Microsoft",
  "ProviderName": "OATP",
  "AlertType": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
  "StartTimeUtc": "2024-05-18T18:48:51.2937397Z",
  "EndTimeUtc": "2024-05-18T18:48:51.2937397Z",
  "TimeGenerated": "2024-05-18T18:51:31.44Z",
"ProcessingEndTime": "2024-05-18T19:18:50.6990119Z",
"Status": "Resolved",
  "DetectionTechnology": "UrlReputation",
"Severity":"Informational",
"ConfidenceLevel":"Unknown",
"ConfidenceScore":1.0,
"IsIncident":false,
"ProviderAlertId":"01234567-ab10-1337-b000-abcd..."

// [truncated 10638 chars]; line: 1, column: 4841]

Formatting edited for readability

The AIR events contain an array of entities related to an alert. An alert might have multiple instances of one entity type and it seems like most,if not all of these, are when the alert has more than one mail cluster that may be sender+IP+subject, sender+attachments, etc (with the ID being analogous for the fingerprint processor in elastic, based on those values). Since something like QueryTime has exists in each, the above error is thrown.

Sample data:

{
  "Version": "3.0",
  "VendorName": "Microsoft",
  "ProviderName": "OATP",
  "AlertType": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
  "StartTimeUtc": "2024-05-18T18:19:54.5065341Z",
  "EndTimeUtc": "2024-05-18T18:19:54.5065341Z",
  "TimeGenerated": "2024-05-18T18:23:38.33Z",
  "ProcessingEndTime": "2024-05-18T18:30:52.6561751Z",
  "Status": "InProgress",
  "DetectionTechnology": "UrlReputation",
  "Severity": "Informational",
  "ConfidenceLevel": "Unknown",
  "ConfidenceScore": 1,
  "IsIncident": false,
  "ProviderAlertId": "u",
  "SystemAlertId": null,
  "CorrelationKey": "x",
  "Investigations": [
    {
      "$id": "1",
      "Id": "urn:ZappedUrlInvestigation:x",
      "InvestigationStatus": "Running"
    }
  ],
  "InvestigationIds": [
    "urn:ZappedUrlInvestigation:x"
  ],
  "Intent": "Probing",
  "ResourceIdentifiers": [
    {
      "$id": "2",
      "AadTenantId": "x",
      "Type": "AAD"
    }
  ],
  "AzureResourceId": null,
  "WorkspaceId": null,
  "WorkspaceSubscriptionId": null,
  "WorkspaceResourceGroup": null,
  "AgentId": null,
  "AlertDisplayName": "Email messages containing malicious URL removed after delivery​",
  "Description": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
  "ExtendedLinks": [
    {
      "Href": "https://security.microsoft.com/alerts/x",
      "Category": null,
      "Label": "alert",
      "Type": "webLink"
    }
  ],
  "Metadata": {
    "CustomApps": null,
    "GenericInfo": null
  },
  "Entities": [
    {
      "$id": "3",
      "Recipient": "x,
      "Urls": [
        "a",
        "a",
        "c",
        "d"
      ],
      "Threats": [
        "ZapPhish",
        "Spam",
        "HighConfPhish"
      ],
      "Sender": "y",
      "P1Sender": "x",
      "P1SenderDomain": "nx",
      "SenderIP": "x.x.x.6",
      "P2Sender": "",
      "P2SenderDisplayName": "blood pressure solution",
      "P2SenderDomain": "m",
      "ReceivedDate": "2024-05-17T16:16:53",
      "NetworkMessageId": "l",
      "InternetMessageId": "ol",
      "Subject": "External: 1 food that kills high blood pressure",
      "AntispamDirection": "Inbound",
      "DeliveryAction": "DeliveredAsSpam",
      "ThreatDetectionMethods": [
        "URLList"
      ],
      "Language": "en",
      "DeliveryLocation": "JunkFolder",
      "OriginalDeliveryLocation": "JunkFolder",
      "AdditionalActionsAndResults": [
        "OriginalDelivery: [N/A]"
      ],
      "AuthDetails": [
        {
          "Name": "SPF",
          "Value": "Pass"
        },
        {
          "Name": "DKIM",
          "Value": "Pass"
        },
        {
          "Name": "DMARC",
          "Value": "Pass"
        },
        {
          "Name": "Comp Auth",
          "Value": "pass"
        }
      ],
      "SystemOverrides": [],
      "Type": "mailMessage",
      "Urn": "urn:MailEntity:l",
      "Source": "OATP",
      "FirstSeen": "2024-05-18T18:25:40"
    },
    {
      "$id": "5",
      "MailboxPrimaryAddress": "ou",
      "Upn": "ou",
      "AadId": "7",
      "RiskLevel": "None",
      "Type": "mailbox",
      "Urn": "urn:UserEntity:l",
      "Source": "OATP",
      "FirstSeen": "2024-05-18T18:25:40"
    },
    {
      "$id": "7",
      "NetworkMessageIds": [
        "9a",
        "aa"
      ],
  // snip
      "Query": "( ((NormalizedUrl:\"l\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))",
      "QueryTime": "5/18/2024 6:28:51 PM",
      "MailCount": 13,
      "IsVolumeAnamoly": false,
      "ClusterSourceIdentifier": "l",
      "ClusterSourceType": "UrlThreatIndicator",
      "ClusterQueryStartTime": "2024-04-28T00:00:00Z",
      "ClusterQueryEndTime": "2024-05-18T18:28:51.0798219Z",
      "ClusterGroup": "UrlThreatIdentifier",
      "Type": "mailCluster",
      "ClusterBy": "NormalizedUrl;ContentType",
      "ClusterByValue": "l;1",
      "QueryStartTime": "4/28/2024 12:00:00 AM",
      "Urn": "urn:MailClusterEntity:y",
      "Source": "OATP",
      "FirstSeen": "2024-05-18T18:28:53"
    },
    {
      "$id": "8",
      "NetworkMessageIds": [
        "l",
        "z"
      ],
    // snip
      "Query": "( (( (BodyFingerprintBin1:\"31545xxxxx\") ) AND ( (P2SenderDomain:\"l\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))",
      "QueryTime": "5/18/2024 6:28:55 PM",
      "MailCount": 7,
      "IsVolumeAnamoly": false,
      "ClusterSourceIdentifier": "",
      "ClusterSourceType": "Similarity",
      "ClusterQueryStartTime": "2024-04-28T00:00:00Z",
      "ClusterQueryEndTime": "2024-05-18T18:28:55.1110657Z",
      "ClusterGroup": "BodyFingerprintBin1,P2SenderDomain",
      "Type": "mailCluster",
      "ClusterBy": "BodyFingerprintBin1;P2SenderDomain;ContentType",
      "ClusterByValue": "l;l;1",
      "QueryStartTime": "4/28/2024 12:00:00 AM",
      "Urn": "urn:MailClusterEntity:l",
      "Source": "OATP",
      "FirstSeen": "2024-05-18T18:29:00"
    },
    {
      "$id": "12",
      "NetworkMessageIds": [
        "l3",
        "al"
      ],
      // snip
      "Query": "( ((NormalizedUrl:\"hl\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))",
      "QueryTime": "5/18/2024 6:29:02 PM",
      "MailCount": 13,
      "IsVolumeAnamoly": false,
      "ClusterSourceIdentifier": "l",
      "ClusterSourceType": "UrlThreatIndicator",
      "ClusterQueryStartTime": "2024-04-28T00:00:00Z",
      "ClusterQueryEndTime": "2024-05-18T18:29:02.3454248Z",
      "ClusterGroup": "UrlThreatIdentifier",
      "Type": "mailCluster",
      "ClusterBy": "NormalizedUrl;ContentType",
      "ClusterByValue": "l;1",
      "QueryStartTime": "4/28/2024 12:00:00 AM",
      "Urn": "urn:MailClusterEntity:l",
      "Source": "OATP",
      "FirstSeen": "2024-05-18T18:29:05"
    }
  ],
  "LogCreationTime": "2024-05-18T18:30:52.6561751Z",
  "MachineName": "x",
  "SourceTemplateType": "Threat_Single",
  "Category": "ThreatManagement",
  "SourceAlertType": "System"
}
@jamiehynds jamiehynds added the Team:Security-Service Integrations Security Service Integrations Team label May 24, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@jamiehynds jamiehynds added Integration:o365 bug Something isn't working labels May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Integration:o365 Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elasticmachine @jamiehynds @jvalente-salemstate