This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

Help with mapping multiple values to a single UDM field to create an array that can be queried

Posted 3 weeks ago
RLee11212016
New Member
Reply posted on --/--/---- --:-- AM

I need to map specifically internet message ids from the Office 365 logs. Issue is in the mailitemsaccess logs that are bind events, multiple internet message ids can be captured within a single json path. I need to be able to iterate through and grap all the internet message IDs and map them to say additional.fields["InternetMessageIDs"]. Sometimes there can be up to 10 IDs within one log. I would like for them to be captured as additional.fields["InternetMessageIDs[0]"] or something similar when I use the extract function built in. It will only grab the first 5 IDs though so it has a limitation. Example of how it captures the data.

extracted.fields["Folders[0].FolderItems[0].InternetMessageId"]

extracted.fields["Folders[0].FolderItems[1].InternetMessageId"]

extracted.fields["Folders[0].FolderItems[2].InternetMessageId"]

and so on.

Not really sure of where to start on this as I have created basic extensions but nothing this complicated. Google support has not been that great a help with this either so far hence why I am trying to tackle this myself.

1 3 144
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
Eoved
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM
Hello friend,
For a long-term solution, I would recommend submitting a parser improvement support case with the relevant type of logs. Since MailItemsAccessed can include a lot of elements, there's likely always room for improvement.
For a short-term solution, since the extract function doesn't meet your needs, I suggest creating a parser extension and mapping it to the UDM field. UDM offers more flexibility than the extract function, and since your log is in JSON format, you can use a no-code extension.
I believe you'll find the field "udm.principal.network.email.mail_id" very useful.
Sample:
Eoved_0-1750575485369.png
Eoved_1-1750575505679.jpeg
Hope this helps!

Posted on --/--/---- --:-- AM
sudeep_singh
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @RLee11212016 ,

If you can share me the raw log we can give a try using the for loop.

Thanks,
Sudeep Singh

Posted on --/--/---- --:-- AM
ScottieJ
Staff
Reply posted on --/--/---- --:-- AM

You may find this article helpful as its on topic for your request.

Top Solution Authors
View all