Microsoft's API creates events with the ClientIP field in one of (at least) three different formats:
10.10.10.10
[10.10.10.10]:10100
10.10.10.10:10100
We handled the first two, but this third format (with a port but no brackets) is not handled by the current processors in o365beat.yml. Fix should be something like adding the following to current o365beat.yml, but still needs testing:
Microsoft's API creates events with the
ClientIP
field in one of (at least) three different formats:10.10.10.10
[10.10.10.10]:10100
10.10.10.10:10100
We handled the first two, but this third format (with a port but no brackets) is not handled by the current processors in
o365beat.yml
. Fix should be something like adding the following to currento365beat.yml
, but still needs testing: