{ "attributes": { "dataSource.name": "Microsoft 365 Collaboration", "dataSource.vendor": "Microsoft", "dataSource.category": "security", "metadata.product.name": "Microsoft 365 SharePoint/OneDrive", "metadata.product.vendor_name": "Microsoft", "metadata.version": "1.0.0" }, "formats": [ { "format": "$unmapped.{parse=gron}$", "rewrites": [ { "input": "unmapped.TimeStamp", "output": "timestamp", "match": ".*", "replace": "$0" } ] } ], "mappings": { "version": 1, "mappings": [ { "predicate": "true", "transformations": [ { "constant": { "value": 1, "field": "activity_id" } }, { "constant": { "value": "Create", "field": "activity_name" } }, { "constant": { "value": 1, "field": "category_uid" } }, { "constant": { "value": 1006, "field": "class_uid" } }, { "constant": { "value": "File Activity", "field": "class_name" } }, { "constant": { "value": "System Activity", "field": "category_name" } }, { "constant": { "value": 100601, "field": "type_uid" } }, { "constant": { "value": "File Activity: Create", "field": "type_name" } }, { "copy": { "from": "unmapped.TimeStamp", "to": "time" } }, { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" } }, { "rename": { "from": "unmapped.UserId", "to": "actor.user.email_addr" } }, { "rename": { "from": "unmapped.Operation", "to": "activity_name" } }, { "rename": { "from": "unmapped.SiteUrl", "to": "src_endpoint.url.url_string" } }, { "rename": { "from": "unmapped.ObjectId", "to": "file.path" } }, { "rename": { "from": "unmapped.FileName", "to": "file.name" } }, { "rename": { "from": "unmapped.TargetUser", "to": "user.email_addr" } }, { "rename": { "from": "unmapped.RequestedBy", "to": "actor.user.name" } }, { "rename": { "from": "unmapped.Details", "to": "message" } }, { "constant": { "value": "Microsoft 365", "field": "cloud.provider" } } ] } ] } }