Office_365 Modeling Rule modifications - CRTX-141236 (#37326)

* Modified modeling rule based on xsup * Modified field xdm.email.recipients in both msft_o365_exchange_online_raw and msft_o365_general_raw * Removed ResultStatus field from xdm.observer.action and imporved the logic of xdm.event.outcome * removed xdm.target.resource.id = formid from msft_o365_exchange_online_raw mapping * Added release notes * Modified release note * Update Packs/Office365/ReleaseNotes/1_0_7.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/Office365/ReleaseNotes/1_0_7.md Co-authored-by: ShirleyDenkberg <[email protected]> --------- Co-authored-by: ShirleyDenkberg <[email protected]>
demisto · Nov 25, 2024 · 25b2ada · 25b2ada
1 parent 6ad9198
commit 25b2ada
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/Packs/Office365/ModelingRules/Office365/Office365.xif b/Packs/Office365/ModelingRules/Office365/Office365.xif
@@ -47,7 +47,7 @@ call o365_common_fields
 	xdm.target.resource.name = coalesce(formname, objectid_clean),
 	xdm.source.host.device_id = EntityId,
 	xdm.email.sender = p2sender,
-	xdm.email.recipients = coalesce(arraycreate(targetuserid), arraycreate(ReleaseTo), arraycreate(recipients)),
+	xdm.email.recipients = if(arraystring(arraycreate(targetuserid), ", ") != "", arraycreate(targetuserid),  arraystring(arraycreate(ReleaseTo), ", ") != "", arraycreate(ReleaseTo), arraycreate(recipients)),
 	xdm.source.user.username = coalesce(username, members_displayname),
 	xdm.source.user.upn = coalesce(members_upn, actoruserid, UserId),
 	xdm.source.user.user_type = if(user_type_string ~= "0|1|2|3", XDM_CONST.USER_TYPE_REGULAR, user_type_string ~= "4|5|6|7|8", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
@@ -67,9 +67,9 @@ call o365_common_fields
 	xdm.email.message_id = coalesce(NetworkMessageId, to_string(messageid), internetmessageid),
 	xdm.target.file.file_type = FileType,
 	xdm.target.file.sha256 = `sha256`,
-	xdm.event.outcome = if(EnforcementMode = 1, XDM_CONST.OUTCOME_UNKNOWN, to_string(EnforcementMode) ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EnforcementMode = 4, XDM_CONST.OUTCOME_FAILED, EnforcementMode = 5, XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Succeeded", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "PartiallySucceeded", XDM_CONST.OUTCOME_PARTIAL, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, ResultStatus ~= "[Tt]rue", XDM_CONST.OUTCOME_SUCCESS, ResultStatus ~= "[Ff]alse", XDM_CONST.OUTCOME_FAILED),
+	xdm.event.outcome = if(EnforcementMode = 1, XDM_CONST.OUTCOME_UNKNOWN, to_string(EnforcementMode) ~= "2|3", XDM_CONST.OUTCOME_PARTIAL, EnforcementMode = 4, XDM_CONST.OUTCOME_FAILED, EnforcementMode = 5, XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "partiallysucceeded",  XDM_CONST.OUTCOME_PARTIAL, lowercase(ResultStatus) ~= "succe", XDM_CONST.OUTCOME_SUCCESS, ResultStatus = "Failed", XDM_CONST.OUTCOME_FAILED, lowercase(ResultStatus) = "true", XDM_CONST.OUTCOME_SUCCESS, lowercase(ResultStatus) = "false", XDM_CONST.OUTCOME_FAILED),
 	xdm.event.outcome_reason = coalesce(Reason, translate_EnforcementMode, ResultStatus),
-	xdm.observer.action = coalesce(to_string(actions), Status, translate_EnforcementMode, ResultStatus),
+	xdm.observer.action = coalesce(to_string(actions), Status, translate_EnforcementMode),
 	xdm.network.rule = Name,
 	xdm.source.host.hostname = coalesce(entityname, DeviceName),
 	xdm.alert.severity = Severity,
@@ -123,7 +123,6 @@ call o365_common_fields
 	xdm.source.user.identifier = coalesce(LogonUserSid, UserKey),
 	xdm.source.user.username = LogonUserDisplayName,
 	xdm.intermediate.host.hostname = OriginatingServer,
-	xdm.target.resource.id = formid,
 	xdm.observer.type = Workload,  
 	xdm.source.ipv4 = check_src_ipv4,
 	xdm.source.ipv6 = check_src_ipv6,
@@ -134,7 +133,7 @@ call o365_common_fields
 	xdm.email.subject = coalesce(replex(Item -> Subject, "\"", ""), replex(ExchangeMetaData -> Subject, "\"", "")),
 	xdm.source.process.name = arraystring(regextract(ClientProcessName, "^(\S+)\.\S+"), ""),
 	xdm.email.sender = coalesce(ExchangeMetaData -> From, sender),
-	xdm.email.recipients = coalesce(arraymap(ExchangeMetaData -> To[], replex("@element", "\"", "")), arraycreate(receivers)),
+	xdm.email.recipients = if(arraystring(arraycreate(receivers), ", ") != "", arraycreate(receivers), arraymap(ExchangeMetaData -> To[], replex("@element", "\"", ""))),
 	xdm.email.cc = arraymap(ExchangeMetaData -> CC[], replex("@element", "\"", "")),
 	xdm.email.bcc = arraymap(ExchangeMetaData -> BCC[], replex("@element", "\"", "")),
 	xdm.email.origination_timestamp = parse_timestamp( "%Y-%m-%dT%H:%M:%S", ExchangeMetaData -> Sent),

diff --git a/Packs/Office365/ReleaseNotes/1_0_7.md b/Packs/Office365/ReleaseNotes/1_0_7.md
@@ -0,0 +1,6 @@
+#### Modeling Rules
+##### Office 365 Modeling Rule
+Improved implementation of Modeling Rule for the following fields:
+- *xdm.email.recipients*
+- *xdm.observer.action*
+- *xdm.event.outcome*
diff --git a/Packs/Office365/pack_metadata.json b/Packs/Office365/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Office 365",
     "description": "The product family of productivity and collaboration cloud based softwares owned by Microsoft.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.0.7",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",