{ "name": "microsoft_exchange_online_message_trace", "title": "Microsoft Exchange Online Message Trace", "version": "2.0.4", "release": "ga", "description": "Microsoft Exchange Online Message Trace Integration", "type": "integration", "download": "/epr/microsoft_exchange_online_message_trace/microsoft_exchange_online_message_trace-2.0.4.zip", "path": "/package/microsoft_exchange_online_message_trace/2.0.4", "icons": [ { "src": "/img/logo.svg", "path": "/package/microsoft_exchange_online_message_trace/2.0.4/img/logo.svg", "title": "Microsoft Exchange Online Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "email_security" ], "signature_path": "/epr/microsoft_exchange_online_message_trace/microsoft_exchange_online_message_trace-2.0.4.zip.sig", "format_version": "3.0.2", "readme": "/package/microsoft_exchange_online_message_trace/2.0.4/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/dashboard.png", "path": "/package/microsoft_exchange_online_message_trace/2.0.4/img/dashboard.png", "title": "kibana dashboard", "type": "image/png" } ], "assets": [ "/package/microsoft_exchange_online_message_trace/2.0.4/LICENSE.txt", "/package/microsoft_exchange_online_message_trace/2.0.4/changelog.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/manifest.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/validation.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/docs/README.md", "/package/microsoft_exchange_online_message_trace/2.0.4/img/dashboard.png", "/package/microsoft_exchange_online_message_trace/2.0.4/img/logo.svg", "/package/microsoft_exchange_online_message_trace/2.0.4/kibana/tags.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/manifest.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/sample_event.json", "/package/microsoft_exchange_online_message_trace/2.0.4/kibana/dashboard/microsoft_exchange_online_message_trace-10b79960-536a-11ed-869d-9d6d140defa1.json", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/fields/agent.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/fields/base-fields.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/fields/fields.yml", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/agent/stream/cel.yml.hbs", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/agent/stream/log.yml.hbs", "/package/microsoft_exchange_online_message_trace/2.0.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "microsoft_exchange_online_message_trace", "title": "Microsoft Exchange Online Message Trace", "description": "Microsoft Exchange Online Message Trace logs", "inputs": [ { "type": "cel", "vars": [ { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID for the Azure application.", "multi": false, "required": true, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related for the Azure application.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of Exchange Online Message Trace", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to Exchange Online. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the initial log from Exchange Online. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "48h" }, { "name": "local_domains", "type": "text", "title": "Local Domains", "description": "Company owned domains. This is used to calculate the email direction and extract user names.", "multi": true, "required": true, "show_user": true }, { "name": "url", "type": "text", "title": "URL", "description": "URL of API endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://graph.microsoft.com" }, { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login server '/tenant-id/oauth2/v2.0/token added automatically'", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "token_endpoint", "type": "text", "title": "OAuth Token endpoint", "description": "Microsoft Identity Platform OAuth2 token endpoint", "multi": false, "required": true, "show_user": false, "default": "oauth2/v2.0/token" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "drop_status", "type": "text", "title": "Drop Logs With Status", "description": "Logs having the status string defined here will be dropped in the ingest pipeline.", "multi": false, "required": false, "show_user": false }, { "name": "min_age", "type": "text", "title": "Minimum Age", "description": "Logs will not be requested until they are at least this old. This value should be always lesser in value than the initial_interval.\nSupported units for this parameter are h/m/s.\n", "multi": false, "required": true, "show_user": false, "default": "1m" }, { "name": "resource_timeout", "type": "text", "title": "Request Timeout", "description": "How long to wait for the request to timeout. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Exchange Online Message Trace logs via Graph API", "description": "Collect Exchange Online logs" }, { "type": "logfile", "vars": [ { "name": "local_domains", "type": "text", "title": "Local Domains", "multi": true, "required": true, "show_user": true } ], "title": "Collect Microsoft Exchange Online Message Trace logs via file", "description": "Collecting Exchange Online Message Trace logs via file" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_exchange_online_message_trace.log", "title": "Microsoft Exchange Online Message Trace logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded" ] }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Exchange Online Message Trace logs", "description": "Collect Microsoft Exchange Online Message Trace logs from Graph API", "enabled": true, "ingestion_method": "API" }, { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "microsoft-defender-endpoint", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Microsoft Exchange Online Message Trace logs", "description": "Collect Microsoft Exchange Online Message Trace logs from a file", "enabled": false, "ingestion_method": "File" } ], "package": "microsoft_exchange_online_message_trace", "path": "log" } ] }