Office 365 Management Activity API input
editOffice 365 Management Activity API input
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Use the o365audit input to retrieve audit messages from Office 365
and Azure AD activity logs. These are the same logs that are available under
Audit log search in the Security and Compliance center.
A single input instance can be used to fetch events for multiple tenants as long as a single application is configured to access all tenants. Certificate-based authentication is recommended in this scenario.
This input doesn’t perform any transformation on the incoming messages, notably no Elastic Common Schema fields are populated, and some data is encoded as arrays of objects, which are difficult to query in Elasticsearch. You probably want to use the Office 365 module instead.
Example configuration:
filebeat.inputs: - type: o365audit application_id: my-application-id tenant_id: my-tenant-id client_secret: my-client-secret
Multi-tenancy and certificate-based authentication is also supported:
filebeat.inputs:
- type: o365audit
application_id: my-application-id
tenant_id:
- tenant-id-A
- tenant-id-B
- tenant-id-C
certificate: /path/to/cert.pem
key: /path/to/private.pem
# key_passphrase: "my key's password"
Configuration options
editThe o365audit input supports the following configuration options plus the
Common options described later.
application_id
editThe Application ID (also known as Client ID) of the Azure application to authenticate as.
tenant_id
editThe tenant ID (also known as Directory ID) whose data is to be fetched. It’s also possible to specify a list of tenants IDs to fetch data from more than one tenant.
content_type
editList of content types to fetch. The default is to fetch all known content types:
- Audit.AzureActiveDirectory
- Audit.Exchange
- Audit.SharePoint
- Audit.General
- DLP.All
client_secret
editThe client secret used for authentication.
certificate
editPath to the public certificate file used for certificate-based authentication.
key
editPath to the certificate’s private key file for certificate-based authentication.
key_passphrase
editPassphrase used to decrypt the private key.
api.authentication_endpoint
editThe authentication endpoint used to authorize the Azure app. This is
https://login.microsoftonline.com/ by default, and can be changed to access
alternative endpoints.
api.resource
editThe API resource to retrieve information from. This is
https://manage.office.com by default, and can be changed to access alternative
endpoints.
api.max_retention
editThe maximum data retention period to support. 168h by default. Filebeat
will fetch all retained data for a tenant when run for the first time.
api.poll_interval
editThe interval to wait before polling the API server for new events. Default 3m.
api.max_requests_per_minute
editThe maximum number of requests to perform per minute, for each tenant. The
default is 2000, as this is the server-side limit per tenant.
api.max_query_size
editThe maximum time window that API allows in a single query. Defaults to 24h
to match Microsoft’s documented limit.
api.preserve_original_event
editControls whether the original o365 audit object will be kept in event.original
or not. Defaults to false.
Common options
editThe following configuration options are supported by all inputs.
enabled
editUse the enabled option to enable and disable inputs. By default, enabled is
set to true.
tags
editA list of tags that Filebeat includes in the tags field of each published
event. Tags make it easy to select specific events in Kibana or apply
conditional filtering in Logstash. These tags will be appended to the list of
tags specified in the general configuration.
Example:
filebeat.inputs: - type: o365audit . . . tags: ["json"]
fields
editOptional fields that you can specify to add additional information to the
output. For example, you might add fields that you can use for filtering log
data. Fields can be scalar values, arrays, dictionaries, or any nested
combination of these. By default, the fields that you specify here will be
grouped under a fields sub-dictionary in the output document. To store the
custom fields as top-level fields, set the fields_under_root option to true.
If a duplicate field is declared in the general configuration, then its value
will be overwritten by the value declared here.
filebeat.inputs:
- type: o365audit
. . .
fields:
app_id: query_engine_12
fields_under_root
editIf this option is set to true, the custom
fields are stored as top-level fields in
the output document instead of being grouped under a fields sub-dictionary. If
the custom field names conflict with other field names added by Filebeat,
then the custom fields overwrite the other fields.
processors
editA list of processors to apply to the input data.
See Processors for information about specifying processors in your config.
pipeline
editThe ingest pipeline ID to set for the events generated by this input.
The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.
keep_null
editIf this option is set to true, fields with null values will be published in
the output document. By default, keep_null is set to false.
index
editIf present, this formatted string overrides the index for events from this input
(for elasticsearch outputs), or sets the raw_index field of the event’s
metadata (for other outputs). This string can only refer to the agent name and
version and the event timestamp; for access to dynamic fields, use
output.elasticsearch.index or a processor.
Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might
expand to "filebeat-myindex-2019.11.01".
publisher_pipeline.disable_host
editBy default, all events contain host.name. This option can be set to true to
disable the addition of this field to all events. The default value is false.