Releases: counteractive/o365beat
o365beat v1.5.1
Added
- Added support for the
scriptprocessor and provided a sample processor script ino365beat.reference.ymlto convert fields that contain arrays of name-value pairs into a "normal" object (closes #41)
Changed
o365beat v1.5.0
A significant release that updates documentation alongside the following:
Added
- Added and documented feature to customize API endpoints, which allows support for GCC High (see #25)
Changed
o365beat v1.4.3
o365beat v1.4.2
o365beat v1.4.1
Added
- Includes new kibana visualizations and a dashboard, showing AlertTriggered events from Microsoft's Advanced Threat Protection service, a chart of common client IP addresses, a list of unique users, and a running stream of summarized activity.
Changed
-
Updates processors to better handle certain log fields. Specifically, the API provides Parameters and ExtendedProperties fields as arrays of objects with just Name and Value keys, which is very confusing and difficult to work with, and causes issues with elasticsearch. This version stores those as strings, which can then be deserialized or parsed with string-based tools. Most importantly, it stops indexing errors and dropped events.
-
Fixes issue with vendor metadata that caused build error during
make release.
o365beat v1.4.0
This release bumps the underlying libbeat version to the latest available (7.4.0) and fixes a throttling issue that sometimes popped up when downloading content blobs.
o365beat v1.3.1
This patch release updates the documentation to reflect the prerequisite of having Office 365 audit log search enabled, updates error messages, and fixes some version numbers that weren't updated in v1.3.0.
o365beat v1.3.0
This release fixes a bug in the auto-subscription logic (see issue #4) that left some users unable to launch the beat without manually subscribing to content types using curl or Invoke-WebRequest (or similar).
Documentation is also updated based on some user feedback, otherwise the functionality is the same as v1.2.0.
Please open an issue or pull request if you notice any bugs or deficiencies, and contact us if you need assistance with o365beat, logging, security, IR, or any other services we offer. Thanks!
O365beat v1.2.0
NOTE: This version does not properly auto-subscribe to the API feeds for content types. Please use v1.3.0 which corrects the bug, or subscribe to the feeds manually using curl or similar.
This version, v1.2.0, is our first non-alpha release! It includes updated documentation and new ECS field mapping processor in the default config file.
There is still a lot on the to-do list and probably more than a few bugs! Check the README, and please open an issue or submit a pull request if you notice any problems in testing or production.
Please note, there's still some weirdness with the version number in the build system: this version will still tag your events as "v7.2.0" (the libbeat release), I'm not confident the libbeat/custom beat tools and docs are current in this regard. That'll be fixed in the next version, and it shouldn't affect anything substantive.
O365beat v1.1.0-alpha
This release of O365beat improves the build process: the instructions in the README should work for those who'd like to build and/or modify, and there are pre-built binaries for common platforms attached. It builds on the latest revision of libbeat which dropped the day after the first release, and pins that version in the build scripts. That's what accounts for the unusual version numbering in the pre-built binaries ... we'll sort that out before coming out of alpha.
As alpha software, it still does not have test coverage or documentation. Caveat emptor.