Change log for OFFICE_365
| Date | Changes |
|---|---|
| 2026-04-07 | - Updated the field mapping for the Office 365 parser. For the configuration details along with the list mapping which were changed in comparison to the existing default parser, please check the parser documentation page: https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/office-365#udm_mapping_delta.
|
| 2026-04-07 | - Updated the field mapping for the Office 365 parser. For the configuration details along with the list mapping which were changed in comparison to the existing default parser, please check the parser documentation page: https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/office-365#udm_mapping_delta.
|
| 2026-03-18 | - Updated below mapping for the operation `MailItemsAccessed` to ensure accurate mapping:
- additional.fields: Removed mapping of `Folders.FolderItems.Subject` from `additional.fields` UDM field. - network.email.subject: Newly mapped `Folders.FolderItems.Subject` raw log field with `network.email.subject` UDM field. |
| 2026-03-12 | - `additional.fields`: Newly mapped `Workload` raw log field with the UDM field `additional.fields` if the `Operation` raw log field has the value `CopilotInteraction`.
|
| 2026-01-22 | - additional.fields: Newly mapped key-value pairs from the `Data` raw log field with the `additional.fields` UDM field for the operation `AlertEntityGenerated`, `AlertTriggered`, and `AlertUpdated`.
|
| 2026-01-12 | - Added support for multiple new fields as part of the Office 365 parser update.
|
| 2025-12-26 | - security_result.detection_fields[sensitive_info_detection_is_included]: Newly mapped `SensitiveInfoDetectionIsIncluded` raw log field with `security_result.detection_fields[sensitive_info_detection_is_included]` UDM field.
|
| 2025-12-16 | Implemented a conditional multi-strategy grok approach to parse 'ActorInfoString'
- Case 1: Extracts content from `ActorInfoString` using the grok pattern UserAgent=(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `temp_agent` extracted user agent value using above grok pattern. - If `temp_agent` contains "NoUserAgent", it attempts to re-parse 'ActorInfoString' to find an agent between the last semicolon and '[AppId=' using Client=.*;(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `agent` extracted user agent value using above grok pattern instead. Else if the above grok pattern fails, user agent is treated as empty - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field. - Case 2: If 'ActorInfoString' contains 'Client=', extract the agent between the last semicolon and '[AppId=' using `Client=.*;(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `temp_agent` extracted user agent value using above grok pattern instead. - Case 3: If above cases fail, then map entire 'ActorInfoString'. - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped 'ActorInfoString' instead. |
| 2025-12-16 | Implemented a conditional multi-strategy grok approach to parse 'ActorInfoString'
- Case 1: Extracts content from `ActorInfoString` using the grok pattern UserAgent=(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `temp_agent` extracted user agent value using above grok pattern. - If `temp_agent` contains "NoUserAgent", it attempts to re-parse 'ActorInfoString' to find an agent between the last semicolon and '[AppId=' using Client=.*;(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `agent` extracted user agent value using above grok pattern instead. Else if the above grok pattern fails, user agent is treated as empty - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field. - Case 2: If 'ActorInfoString' contains 'Client=', extract the agent between the last semicolon and '[AppId=' using `Client=.*;(? - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped `temp_agent` extracted user agent value using above grok pattern instead. - Case 3: If above cases fail, then map entire 'ActorInfoString'. - network.http.user_agent: Removed mapping of `ClientInfoString` from `network.http.user_agent` UDM field and mapped 'ActorInfoString' instead. |
| 2025-12-09 | Updated the following field mapping in the parser as the product's document has been updated. - additional.fields[FileData_DocumentId]: Removed mapping of `FileData.DocumentId` from `additional.fields[FileData_DocumentId]` UDM field. - target.resource.product_object_id: Mapped `FileData.DocumentId` raw log field with `target.resource.product_object_id` UDM field. - additional.fields[FileData_FileName]: Removed mapping of `FileData.FileName` from `additional.fields[FileData_FileName]` UDM field. - target.file.full_path: Mapped `FileData.FileName` raw log field with `target.file.full_path` UDM field. - additional.fields[FileData_FilePath]: Removed mapping of `FileData.FilePath` from `additional.fields[FileData_FilePath]` UDM field. - target.url: Mapped `FileData.FilePath` raw log field with `target.url` UDM field. - additional.fields[FileData_FileSize]: Removed mapping of `FileData.FileSize` from `additional.fields[FileData_FileSize]` UDM field. - target.file.size: Mapped `FileData.FileSize` raw log field with `target.file.size` UDM field. - additional.fields[FileData_FileVerdict]: Removed mapping of `FileData.FileVerdict` from `additional.fields[FileData_FileVerdict]` UDM field. - security_result.detection_fields[file_verdict]: Mapped `FileData.FileVerdict` raw log field with `security_result.detection_fields[file_verdict]` UDM field. - security_result.category: Newly mapped the value `SOFTWARE_MALICIOUS` with `security_result.category` UDM field if `FileData.FileVerdict` raw log field is not empty. - additional.fields[FileData_MalwareFamily]: Removed mapping of `FileData.MalwareFamily` from `additional.fields[FileData_MalwareFamily]` UDM field. - security_result.threat_name: Mapped `FileData.MalwareFamily` raw log field with `security_result.threat_name` UDM field - additional.fields[FileData_SHA256]: Removed mapping of `FileData.SHA256` from `additional.fields[FileData_SHA256]` UDM field. - target.file.sha256: Mapped `FileData.SHA256` raw log field with `target.file.sha256` UDM field - target.resource.attribute.labels[last_modified_date]: Removed mapping of `LastModifiedBy` from `target.resource.attribute.labels[last_modified_date]` UDM field. - target.resource.attribute.labels[last_modified_by]: Mapped `LastModifiedBy` raw log field with `target.resource.attribute.labels[last_modified_by]` UDM field. - `Set-TransportRule`: Added support for the operation `Set-TransportRule` and relevant corresponding raw log fields. - `AtpDetection`: Added support for the operation `AtpDetection` and relevant corresponding raw log fields. - principal.resource.attribute.labels[external_access]: Newly mapped `ExternalAccess` raw log field with `principal.resource.attribute.labels[external_access]` UDM field for the operation `New-InboxRule`. - security_result.rule_name: Newly mapped `Parameters.Name` raw log field with `security_result.rule_name` UDM field for the operation `New-InboxRule`. - additional.fields: Newly mapped key-value pairs from the `Parameters` raw log field with the `additional.fields` UDM field for the operation `New-InboxRule`. - security_result.action: Newly mapped the value `ALLOW` with `security_result.action` UDM field if `ResultStatus` raw log field has the value `True` for the operation `New-InboxRule`. - security_result.action: Newly mapped the value `BLOCK` with `security_result.action` UDM field if `ResultStatus` raw log field has the value `False` for the operation `New-InboxRule`. - principal.resource.attribute.labels[external_access]: Newly mapped `ExternalAccess` raw log field with `principal.resource.attribute.labels[external_access]` UDM field for the operation `Set-InboxRule`. - security_result.rule_name: Newly mapped `Parameters.Name` raw log field with `security_result.rule_name` UDM field for the operation `Set-InboxRule`. - security_result.detection_fields[parameters_identity]: Newly mapped `Parameters.Identity` raw log field with `security_result.detection_fields[parameters_identity]` UDM field for the operation `Set-InboxRule`. - additional.fields: Newly mapped key-value pairs from the `Parameters` raw log field with the `additional.fields` UDM field for the operation `Set-InboxRule`. - security_result.action: Newly mapped the value `ALLOW` with `security_result.action` UDM field if `ResultStatus` raw log field has the value `True` for the operation `Set-InboxRule`. - security_result.action: Newly mapped the value `BLOCK` with `security_result.action` UDM field if `ResultStatus` raw log field has the value `False` for the operation `Set-InboxRule`. |
| 2025-12-03 | - `Set-OrganizationConfig`: Added support for the operation `Set-OrganizationConfig`.
|
| 2025-12-01 | - additional.fields: Newly mapped `ExchangeMetaData.AttachmentDetails.Name`, `ExchangeMetaData.AttachmentDetails.Size`, and iterated over `ExchangeMetaData.AttachmentDetails.Labels` to map child raw log fields with `additional.fields` UDM field.
|
| 2025-12-01 | - additional.fields: Newly mapped `ExchangeMetaData.AttachmentDetails.Name`, `ExchangeMetaData.AttachmentDetails.Size`, and iterated over `ExchangeMetaData.AttachmentDetails.Labels` to map child raw log fields with `additional.fields` UDM field.
|
| 2025-11-11 | - network.email.subject: Newly mapped `ExchangeMetaData.Subject` raw log field with `network.email.subject` UDM field.
|
| 2025-10-27 | Updated mapping for ExtendedProperties.RequestType raw log field. - extensions.auth.type: Removed mapping of the value `MACHINE` from `extensions.auth.type` UDM field and mapped the value `SSO` instead. - extensions.auth.mechanism: Removed mapping of the value `REMOTE` from `extensions.auth.mechanism` UDM field and mapped the value `INTERACTIVE` instead. |
| 2025-10-13 | - Improved error handling to cover various edge cases across multiple scenarios.
- metadata.log_type: Newly mapped `OFFICE_365` value with `metadata.log_type` UDM field. |
| 2025-09-15 | Updated mapping for Data.trc field and Data.imsgid field. - principal.user.email_address: Removed mapping of `Data.trc` from `principal.user.email_address` UDM field in order to introduce a more accurate mapping for the raw log field. - target.user.email_address: Mapped `Data.trc` raw log field with `target.user.email_address` UDM field. - principal.user.email_address: Removed mapping of `Data.imsgid` from `principal.user.email_address` UDM field in order to introduce a more accurate mapping for the raw log field. - network.email.mail_id: Mapped `Data.imsgid` raw log field with `network.email.mail_id` UDM field. |
| 2025-08-11 | - Added support for multiple new fields across various events as part of the Office 365 parser update.
|
| 2025-08-05 | - security_result.description: Newly mapped `UserClaims` raw log field with `security_result.description` UDM field.
|
| 2025-06-04 | - additional.fields[internet_message_id]: Newly mapped `InternetMessageId` raw log field with `additional.fields[internet_message_id]` UDM field.
|
| 2025-05-29 | - target.file.md5: Newly mapped "MD5Hash" raw log field with "target.file.md5" UDM field for "FileMalwareDetected" logs.
- target.file.sha256: Newly mapped "SHA256Hash" raw log field with "target.file.sha256" UDM field for "FileMalwareDetected" logs. - Added an index to the key within "additional.fields" for the "ExtendedProperties" log field to ensure key uniqueness. |
| 2025-05-13 | - "target.file.full_path": Added the mapping of "ObjectId" raw log field to "target.file.full_path" UDM field if the value of the field "Workload" is "Endpoint" for "MipLabel", "DlpRuleMatch","DLPRuleMatch","DlpRuleUndo", "DLPRuleUndo" and "DlpInfo" operations.
|
| 2025-04-03 | - additional.fields[mailbox_owner_upn]: Newly mapped `MailboxOwnerUPN` raw log field with `additional.fields[mailbox_owner_upn]` UDM field.
|
| 2025-03-05 | - Added support for the "EndpointMetaData.FileExtension" "EndpointMetaData.FileSize" "EndpointMetaData.EnforcementMode" "EndpointMetaData.EndpointOperation" "ExchangeMetaData.FileSize" "ExchangeMetaData.FileType" dynamically mapped to "additional.fields" UDM field respectively.
|
| 2025-02-25 | - Added support for the "SystemOverrides.Details", "SystemOverrides.FinalOverride" , "SystemOverrides.Result", "SystemOverrides.Source" raw log field operation and dynamically mapped to "target.resource.attribute.label.SystemOverrides_key" UDM field respectively.
|
| 2025-01-21 | - Added replace block and on_error check for "field.OldValue" field in "ModifiedProperties" raw log field in "TeamsAdminAction" operation.
|
| 2025-01-20 | - Added support for the raw log field "Id", mapping it to "principal.asset_id" UDM field for the "UserLoggedIn" operation.
- Added support for the raw log field "BrowserType", mapping it to "principal.asset.software.name" UDM field for the "UserLoggedIn" operation. - Added support for the raw log fields "TrustType", "IsCompliant" and "IsCompliantAndManaged", mapping them to "additional.fields" for the "UserLoggedIn" operation. |
| 2025-01-05 | - Added support for the "Parameters" raw log field object in "Set-MailboxAutoReplyConfiguration" operation and dynamically mapped to "security_result.detection_fields" UDM field.
|
| 2024-11-11 | - Updated logic for AppAccessContext.AADSessionId field to map it to network.session_id
|
| 2024-10-11 | - Added support for CopilotEventData.AccessedResources field for CopilotInteraction operations.
|
| 2024-09-13 | - Added support for Parameters field for New-TransportRule operations.
- Added support for Actions field for AirInvestigationData operations. |
| 2024-09-06 | - Added support for FileSizeBytes field for various file related operations.
|
| 2024-08-23 | - Added support for the field ParticipantInfo and its sub-field for the Operation MemberAdded.
- Added support for the field QueryText for the Operation SearchCreated, SearchUpdated, SearchStarted and map it to security_result.detection_fields[QueryText] - Added support for the field ObjectId for the Operation SearchCreated, SearchUpdated, SearchStarted and map it to additional.fields[ObjectId] - Added support for the Operation TeamsAdminAction for the field ModifiedProperties to security.detection_field. - Added support for the AlertEntityId to target.url when the log with "EntityType":"MaliciousUrl". |
| 2024-08-09 | - Added support for Attachments[].AffectedItems and mapped the first file name and size of the file to about.file.size and about.file.full_path.
- Added support for Attachments[].AffectedItems and mapped the field to additional.fields[Attachments_AffectedItems]. |
| 2024-07-10 | - Added support for PreExecutionMessage , PostExecutionMessage iterated over the fields and mapped the key value to security_result.detection_fields.
|
| 2024-06-12 | - Added support for "target.user.userid" in UDM, which is mapped to "Data:" -> "userPrincipalName".
- Added support for "security_result.url_back_to_product" in UDM, which is mapped to "AlertLinks:" -> "AlertLinkHref". - Added support for UserId, which is mapped to "additional.fields" as UserId does not provide the true user.userid - Added support for "target.user.product_object_id" in UDM, which is mapped to "Data:" -> "riskyUserId" - Added support for ModifiedProperties and field.Name = IPAddressAllowList under the additional fields with 'NewIPAddressAllowList' and 'OldIPAddressAllowList'. |
| 2024-05-22 | - Added support for 'ObjectId' field to additional field for "Add member to role.", and "Add user." operations.
|
| 2024-05-15 | - Added support for 'ItemName' and 'ParticipantInfo.HasForeignTenantUsers' fields to "additional" field for 'ChatCreated' operations.
|
| 2024-05-08 | - Added support of the "StrongAuthenticationMethod" and "StrongAuthenticationUserDetails" values of the "ModifiedProperties.Name" raw log field.
- Added support for 'ObjectId' field to the additional field 'FileUploadedToCloud' operations. |
| 2024-04-24 | - Added UDM mapping of the field 'ResultStatusDetail'.
- Added support for 'Parameters' field for 'Add-RecipientPermission' operations. - Updated UDM mapping of ModifiedProperties raw log field. |
| 2024-03-27 | - Added support for 'ObjectId' field from 'FilePrinted' and 'FileUploadedToCloud' operations.
- Added support for 'SearchQueryText' field for 'SearchQueryPerformed' operations. - Added mapping of 'InternetMessageId' to 'network.email.mail_id' UDM fields for 'UserSubmission', 'UserSubmissionTriage' operation. - Added mapping of 'FileSizeBytes' for 'FileModifiedExtended' operations. |
| 2024-03-13 | - Added support for 'GetRefreshablesForCapacityAsAdmin' new operations.
- Added support for 'AppRole.Value' field from 'ModifiedProperties'. - Added mapping of 'SensitivityLabelEventData.JustificationText' field to 'security_result.detection_fields' UDM field. - Added mapping of 'UrlClickAction' field to 'security_result.detection_fields' UDM field. |
| 2024-02-28 | - Added support for new operations.
|
| 2024-02-14 | - Added support for 'QuarantineApproveReleaseMessage', 'QuarantineDenyReleaseMessage', 'FileSensitivityLabelApplied', 'Update policy.', 'SharingLinkUsed', 'AddedToSharingLink', 'Authorize', 'SharingLinkUpdated', 'SubTaskUpdated', 'TaskRead', and 'SubTaskCreated' new operations.
|
| 2024-01-31 | - Added support for 'SharingLinkCreated', 'TimesheetSaved', 'ResourceCheckedOut', 'GetGroupUsers', 'SensitivityLabelUpdated', 'ListItemRecycled' and 'TimesheetAccessed' operations.
|
| 2024-01-17 | - Added support for 'SensitivityLabelApplied' operation.
|
| 2024-01-03 | - Added support for 'Add-MailboxLocation' and 'Release-QuarantineMessage' operations.
|
| 2023-11-29 | - Added support for 'Set-DlpCompliancePolicy' and 'Remove-DlpCompliancePolicy' operations.
- Added additional mapping of 'RequestType' field from 'ExtendedProperties' to 'about.labels' in 'UserLoggedIn' and 'UserLoginFailed' operations. - Aligned 'principal/target.hostname' and 'principal/target.asset.hostname' mapping. - Added support for additional fields for "noun.labels". |
| 2023-11-01 | - Added support for 'QuarantineReleaseMessage', 'WorkspaceStatusReceived','LinkedEntityUpdated', 'ViewResponse', 'O365SyncAdminUserPromotion', 'FileCopiedToClipboard', and 'FileTranscriptContentAccessed' operations.
|
| 2023-10-18 | - Added support for 'TaskModified' and 'DeleteTile' operations.
|
| 2023-10-04 | - Added support for 'SensitivityLabeledFileOpened','SensitivityLabeledFileRenamed' and 'Validate' operations.
- Added support for 'Modified Properties' fields in the 'Update user' operation. |
| 2023-09-20 | - Added support for 'PutConnection','PutConnectionPermission' 'AdminSubmissionTablAllow', 'Add contact.' and 'WorkspacePortalUrlReceived' operations.
|
| 2023-09-06 | - Added mapping of 'ObjectId' for 'Add-MailboxPermission' Operation.
|
| 2023-08-23 | - Added support for 'TaskListRead' operation.
|
| 2023-08-09 | - Added support for 'GetWorkspaces', 'TeamsUserSignedOut' and 'ConnectFromExternalApplication' operation.
|
| 2023-07-26 | - Added support for "SensitiveInfoTypeData" fields in DLP logs.
- Updated mapping of 'metadata.event_type' for 'UserLoginFailed' operation. |
| 2023-06-28 | - Updated mapping of "metadata.event_type" for 'UserLoggedIn' operation.
|
| 2023-06-14 | - Added support for 'ListViewUpdated' operation.
- Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
| 2023-05-31 | - Added support for 'FileUploadedToCloud', 'GenerateDataflowSasToken', 'GenerateScreenshot', 'MDCAssessments', 'RemovableMediaMount', 'SignInEvent', 'ApprovedRequest', 'CreateForm', 'ListForms', 'MDCRegulatoryComplianceAssessments', 'PreviewForm', 'ViewedApprovalRequest', 'ListCreated' and 'SiteColumnCreated' operations.
- Added mapping for the recipient of the email for TIMailData. |
| 2023-05-02 | - Added mapping of attachment data for operation 'TIMailData'.
- Added mapping of 'Result Status' log field for operation 'SoftDelete'. - Updated mapping of event type of 'Update Service Principal'. - Added mapping of 'Result Status' with 'security_result.action' for all operations. - Added mapping of 'ErrorNumber' log field for operations 'UserLoggedIn' and 'UserLoginFailed'. - Added support for 'New-DlpCompliancePolicy', 'New-DlpComplianceRule', 'Get-InsiderRiskPolicy', 'Enable Strong Authentication.', 'ReactedToMessage', 'RemovableMediaUnmount' and 'Set-HostedContentFilterPolicy' operations. |
| 2023-04-12 | - Added mapping of fields present in the 'Data' field for operations 'AirInvestigation', 'AlertUpdated', 'AlertEntityGenerated', 'AlertTriggered'.
- Added support for operation 'DeleteDatasetRows'. - Added mapping of 'ApplicationId' log field and updated mapping for the 'ApplicationDisplayName', 'appId' and 'RequestType' log fields. |
| 2023-03-29 | - Added support for IPv6 dual address.
- Added support for operation 'LaunchPowerApp'. |
| 2023-03-15 | - Added mapping of 'Role.TemplateId' field for operation 'Add member to role.'.
- Updated mapping of 'Role.DisplayName' field for operation 'Add member to role.'. |
| 2023-03-01 | - Added support for operation 'FileSensitivityLabelChanged'.
- Added support for operation 'FileRead'. - Added support for operation 'MessageReadReceiptReceived'. - Added support for operation 'Search'. - Added support for operation 'TaskDeleted'. - Added support for operation 'TaskUpdated'. - Added support for operation 'TaskCreation'. - Added regular expression for 'email` field for operation 'AirInvestigationData'. - Added size validation for `principal.user.userid` and `target.user.userid`. - Modified validations for setting `metadata.event_type`. - Removed unwanted invalid JSON format logs. |
| 2023-02-01 | - Added support for operation 'SecurityGroupModified'.
- Added mapping of principal.user.userid and target.user.userid. |
| 2023-01-18 | - Added mapping for field "Is Hard Deleted" and mapped it with security_result.detection_fields.key/value.
- Added mapping for field "GivenName" and mapped it with target.user.attribute.labels.key/value. - Added mapping for field "RequiredResourceAccess" and mapped it with target.resource.attribute.labels.key/value. - Added mapping for field "DelegatedPermissionGrant.Scope" and mapped it with target.resource.attribute.labels.key/value. |
| 2023-01-11 | - Removed gsub filter to remove leading zeros.
- Added validation logic to check if IP is valid or not. - Handled the ObjectId field to remove unnecessary angular brackets. - Added support for RecipientCount, Sent, SensitiveInformationDetailedClassificationAttributes.Confidence, SensitiveInformationDetailedClassificationAttributes.Count, SensitiveInfoTypeData.Confidence, SensitiveInfoTypeData.Count fields. |
| 2023-01-04 | Promoting parser to default.
|