Link Search Menu Expand Document

O365_AzureActiveDirectory_AddUser_PatternVerification

ID: 100232

Description:

Verifies username pattern for the specified domain - KLK

Repository: Group: Office365 Type: event

Default Status:

Disabled

Tags:      
o365 office365 azure pattern
lua      
       

Selector:

Query:

@sender:office365

Filters:

Standard:

Field MUST hit
@fields.Workload AzureActiveDirectory
@fields.Operation Add user.
Field MUST NOT hit
   

Additional JSON:

function json_doc_filter (doc)
   objectid = doc['@fields'].ObjectId
   if objectid == nil then
      return false
   end
   print("ObjectId: "..objectid)

   domain = doc['@fields']._userdomain
   if domain == nil then
      return false
   end
   print("Domain: "..domain)

   user = string.gsub(objectid, domain, "")
   if user == nil then
      return false
   end
   print("User: "..user)

   exist, userpattern = entityinfo_lookup("O365_UserName_PatternMatch","domain",domain,"pattern")
   if exist == nil then
      return false
   end
   print("User Pattern: "..userpattern)

   uservalidated = string.find(user, userpattern)
   if uservalidated == nil or uservalidated > 1 then
      return true
   end

   return false

end
return json_doc_filter

History:

User Date
2021 Apr 11 19:56:30 EDT
2021 Apr 11 19:57:00 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)