O365: Microsoft Office Activity Cribl Pack

Today we will be walking through the Microsoft Office Activity Cribl Pack. This activity pack is meant to help quickly bring Microsoft Office 365 Activity Logs into an organization with portability and flexibility in mind. This means that the pack is designed to allow you to send and process each Workload separately or not at all. This Pack currently supports the following Workloads: AzureActiveDirectory, Exchange, SharePoint, OneDrive, MicrosoftTeams, SecurityComplianceCenter, PublicEndpoint, PowerBI, MicrosoftForms, SkypeForBusiness. Next we will go over the Routes and pipelines in the pack and how they currently work.

Figure a1

This pack contains 6 separate routes. AzureAD, o365exchange, o365sharepoint, o365onedrive, o365general, and default. Each Route contains a filter that looks at the logs using a regex filter. Each filter looks at the “Workload” field. Shown in Figure a1 is a table of the Routes and what each route is looking for in the Workload field.

The pack also contains 4 Pipelines, as of writing this article each pipeline currently does the same thing. They are separated to allow to flexibility of retaining or deleting fields depending on the workload and the requirements for each workload. I also anticipate that additional use cases will require that workloads be processed differently. The following is what these pipelines do.

There is a regex extract field that looks into the source field and creates a source_collector field to check and see what type of source this is. (Figure b1) The next portion is an eval function that assigns an index (this can be changed to your liking). It changes the source field to crbl:o365:api and appends the source_collector field that was extracted in the previous step. It also changes the sourcetype to ‘o365:activity’ and appends the workload field changed to all lower case (Figure b2) . These two steps allow the source to be smaller than the long URL that is created by default and allows the sourcetype to be consistent and programmatically assigned by workload.

Next there is a group called JSON, in that group there are 2 Parser functions. The first Parser function Reserialized the JSON in _raw, removed null value fields and puts the data back into _raw (Figure b3). The 2nd Parser function Extracts the JSON from top level fields and puts that into Raw (Figure b4). This helps reduce events size.

There is an additional Eval that is disabled by default. This allows you to drop fields that you place in Remove fields (Figure b5) . It drops all fields by default, you can change the * in Remove Fields and only place fields you want, or if you want to keep only a few fields you can just add the fields you want into the “Keep Fields” area.

Figure b1
Figure b2
Figure b4
Figure b3
Figure b5