O365_AzureActiveDirectory_AddUser_PatternVerification
ID: 100232
Description:
Verifies username pattern for the specified domain - KLK
Repository: Group: Office365 Type: event
Default Status:
Disabled
| Tags: | |||
|---|---|---|---|
| o365 | office365 | azure | pattern |
| lua | |||
Selector:
Query:
@sender:office365
Filters:
Standard:
| Field | MUST hit |
|---|---|
| @fields.Workload | AzureActiveDirectory |
| @fields.Operation | Add user. |
| Field | MUST NOT hit |
|---|---|
Additional JSON:
function json_doc_filter (doc)
objectid = doc['@fields'].ObjectId
if objectid == nil then
return false
end
print("ObjectId: "..objectid)
domain = doc['@fields']._userdomain
if domain == nil then
return false
end
print("Domain: "..domain)
user = string.gsub(objectid, domain, "")
if user == nil then
return false
end
print("User: "..user)
exist, userpattern = entityinfo_lookup("O365_UserName_PatternMatch","domain",domain,"pattern")
if exist == nil then
return false
end
print("User Pattern: "..userpattern)
uservalidated = string.find(user, userpattern)
if uservalidated == nil or uservalidated > 1 then
return true
end
return false
end
return json_doc_filter
History:
| User | Date |
|---|---|
| — | 2021 Apr 11 19:56:30 EDT |
| — | 2021 Apr 11 19:57:00 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)