-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathbeat.yml
92 lines (84 loc) · 4.23 KB
/
beat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
################### O365beat Configuration Example #########################
############################# O365beat ######################################
o365beat:
## period defines how often API is polled for new content blobs
## 5 min default, as new content (probably) isn't published too often
# period: 5m
# period Defines how often API is polled for new content blobs
# 5 min default, as new content (probably) isn't published too often
# period: 5m
# api_timeout Defines how long the beat will wait for responses from the API
# 30 second default; extend this for busy tenants
# api_timeout: 30s
# content_max_age Defines the oldest content the beat will request
# 7 day default, which is the max retained according to Microsoft
# reduce this for busy tenants to minimize risk of timeouts
# content_max_age: 168h
## pull secrets from environment (e.g, > set -a; . ./ENV_FILE; set +a;)
## or a key store (https://www.elastic.co/guide/en/beats/filebeat/current/keystore.html)
## or hard-code here:
tenant_domain: ${O365BEAT_TENANT_DOMAIN:}
client_secret: ${O365BEAT_CLIENT_SECRET:}
client_id: ${O365BEAT_CLIENT_ID:} # aka application id (GUID)
directory_id: ${O365BEAT_DIRECTORY_ID:} # aka tenant id (GUID)
registry_file_path: ${O365BEAT_REGISTRY_PATH:./o365beat.state}
certificate_path: ${O365BEAT_CERTIFICATE_PATH:} #path to your .pfx file
certificate_pwd: ${O365BEAT_CERTIFICATE_PWD:} #password of your .pfx file
## the following content types will be pulled from the API
## for available types, see https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api
content_types:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General
# - DLP.All # TODO: figure out what to do with this, it's not like the rest
## By default, map Office 365 Activities API event fields to ECS fields
## API "Common" fields: Id, RecordType, CreationTime, Operation, OrganizationId,
## UserType, UserKey, Workload, ResultStatus, ObjectId,
## UserId, ClientIP, Scope
processors:
- dissect:
field: UserId
tokenizer: '%{user.name}@%{user.domain}'
when:
contains:
UserId: '@'
- dissect:
field: ClientIP
tokenizer: '[%{clientip}]:%{clientport}'
when:
contains:
ClientIP: '['
- dissect:
field: ClientIP
tokenizer: '%{clientip}:%{clientport}'
when:
contains:
ClientIP: ':'
not:
contains:
ClientIP: '['
- convert:
fields:
- {from: Id, to: 'event.id', type: string} # ecs core
- {from: RecordType, to: 'event.code', type: string} # ecs extended
- {from: Operation, to: 'event.action', type: string} # ecs core
- {from: OrganizationId, to: 'cloud.account.id', type: string} # ecs extended
# - {from: UserType, to: '', type: ''} # no ecs mapping
# - {from: UserKey, to: '', type: ''} # no ecs mapping
- {from: Workload, to: 'event.category', type: string} # ecs core
- {from: ResultStatus, to: 'event.outcome', type: string} # ecs extended
# - {from: ObjectId, to: '', type: ''} # no ecs mapping
- {from: UserId, to: 'user.id', type: string} # ecs core
- {from: ClientIP, to: 'client.ip', type: ip} # ecs core
- {from: 'dissect.clientip', to: 'client.ip', type: ip} # ecs core
# - {from: "Scope", to: "", type: ""} # no ecs mapping
# the following fields use the challenging array-of-name-value-pairs format
# converting them to strings fixes issues in elastic, eases non-script parsing
# easier to rehydrate into arrays from strings than vice versa:
- {from: Parameters, type: string} # no ecs mapping
- {from: ExtendedProperties, type: string} # no ecs mapping
- {from: ModifiedProperties, type: string} # no ecs mapping
ignore_missing: true
fail_on_error: false
mode: copy # default