-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy patho365beat.dev.yml
125 lines (113 loc) · 4.9 KB
/
o365beat.dev.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
################### O365beat Development Configuration #######################
# A config file that doesn't get nuked by "make update". "real" stuff goes in
# _meta/beat.yml
# > ./o365beat --path.config . -c o365beat.dev.yml -e --strict.perms=false
o365beat:
period: 30s
# used to test custom API endpoints functionality (GCC high)
# login_url: https://login.microsoftonline.com # default is https://login.microsoftonline.com
# resource_url: https://manage.office.com # default is https://manage.office.com
# > set -a; . ./o365beat.env; set +a;
tenant_domain: ${O365BEAT_TENANT_DOMAIN}
client_secret: ${O365BEAT_CLIENT_SECRET}
client_id: ${O365BEAT_CLIENT_ID} # aka application id (GUID)
directory_id: ${O365BEAT_DIRECTORY_ID} # aka tenant id (GUID)
registry_file_path: ./tmp/o365beat.state
content_types:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General
# - DLP.All
# map Office 365 Activities API event fields to ECS fields
# API "Common" fields: Id, RecordType, CreationTime, Operation, OrganizationId,
# UserType, UserKey, Workload, ResultStatus, ObjectId,
# UserId, ClientIP, Scope
# TODO: Docs say event.created = time created in pipeline (not CreationTime)
processors:
- script:
when:
or:
- has_fields: ['Parameters']
- has_fields: ['ExtendedProperties']
lang: javascript
id: name_value_array_parser
source: >
function process(event){
var processed = event.Get('processed') || {};
var parameters = event.Get('Parameters')
if(!!parameters && !!parameters.length){
processed.Parameters = processed.Parameters || {};
for(var i = 0; i < parameters.length; i++){
var p = parameters[i];
if(p.Name) processed.Parameters[p.Name] = p.Value;
}
}
var extendedProperties = event.Get('ExtendedProperties')
if(!!extendedProperties && !!extendedProperties.length){
processed.ExtendedProperties = processed.ExtendedProperties || {};
for(var i = 0; i < extendedProperties.length; i++){
var p = extendedProperties[i];
if(p.Name) processed.ExtendedProperties[p.Name] = p.Value;
}
}
event.Put('processed', processed);
}
- dissect:
field: ClientIP
tokenizer: '[%{clientip}]:%{clientport}'
when:
contains:
ClientIP: '['
- dissect:
field: ClientIP
tokenizer: '%{clientip}:%{clientport}'
when:
contains:
ClientIP: ':'
not:
contains:
ClientIP: '['
- convert:
fields:
- {from: Id, to: 'event.id', type: string} # ecs core
- {from: RecordType, to: 'event.code', type: string} # ecs extended
- {from: Operation, to: 'event.action', type: string} # ecs core
- {from: OrganizationId, to: 'cloud.account.id', type: string} # ecs extended
- {from: Workload, to: 'event.category', type: string} # ecs core
- {from: ResultStatus, to: 'event.outcome', type: string} # ecs extended
- {from: UserId, to: 'user.id', type: string} # ecs core
- {from: ClientIP, to: 'client.ip', type: ip} # ecs core
- {from: 'dissect.clientip', to: 'client.ip', type: ip} # ecs core
# the following fields use the challenging array-of-name-value-pairs format
# converting them to strings fixes issues in elastic, eases non-script parsing
# easier to rehydrate into arrays from strings than vice versa:
- {from: Parameters, type: string} # no ecs mapping
- {from: ExtendedProperties, type: string} # no ecs mapping
- {from: ModifiedProperties, type: string} # no ecs mapping
ignore_missing: true
fail_on_error: false
mode: copy # default
# output.console:
# pretty: true
output.file:
path: "./tmp/"
filename: o365beat.json
# output.elasticsearch:
# hosts: ["http://localhost:9200"]
# username: "elastic"
# password: "changeme"
# output.logstash:
# hosts:
# - ${O365BEAT_LOGSTASH_HOST}
# ssl:
# certificate_authorities:
# - ${O365BEAT_CLIENT_CA_KEY_PATH}
# certificate: ${O365BEAT_CLIENT_CER_PATH}
# key: ${O365BEAT_CLIENT_KEY_PATH}
# https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html
# https://www.elastic.co/blog/elasticsearch-security-configure-tls-ssl-pki-authentication
# split the p12 into the sub-chunks needed for the conf (private key, public cert, ca cert)
# > openssl pkcs12 -in client.p12 -nocerts -nodes > client.key # Private Key
# > openssl pkcs12 -in client.p12 -clcerts -nokeys > client.cer # Public Certificate
# > openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > client-ca.cer # CA Certificate