{ "name": "o365", "title": "Microsoft Office 365", "version": "3.8.1", "release": "ga", "description": "Collect logs from Microsoft Office 365 with Elastic Agent.", "type": "integration", "download": "/epr/o365/o365-3.8.1.zip", "path": "/package/o365/3.8.1", "icons": [ { "src": "/img/logo-integrations-microsoft-365.svg", "path": "/package/o365/3.8.1/img/logo-integrations-microsoft-365.svg", "title": "Microsoft Office 365", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "productivity_security", "iam", "observability" ], "signature_path": "/epr/o365/o365-3.8.1.zip.sig", "format_version": "3.2.3", "readme": "/package/o365/3.8.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/filebeat-o365-audit.png", "path": "/package/o365/3.8.1/img/filebeat-o365-audit.png", "title": "Office 365 Audit Dashboard", "size": "1924x1409", "type": "image/png" }, { "src": "/img/o365-user-dashboard.png", "path": "/package/o365/3.8.1/img/o365-user-dashboard.png", "title": "Office 365 User Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/filebeat-o365-azure-permissions.png", "path": "/package/o365/3.8.1/img/filebeat-o365-azure-permissions.png", "title": "Azure Permissions", "size": "2660x1030", "type": "image/png" } ], "assets": [ "/package/o365/3.8.1/LICENSE.txt", "/package/o365/3.8.1/changelog.yml", "/package/o365/3.8.1/manifest.yml", "/package/o365/3.8.1/validation.yml", "/package/o365/3.8.1/docs/README.md", "/package/o365/3.8.1/img/filebeat-o365-audit.png", "/package/o365/3.8.1/img/filebeat-o365-azure-permissions.png", "/package/o365/3.8.1/img/logo-integrations-microsoft-365.svg", "/package/o365/3.8.1/img/new_client_secrets.png", "/package/o365/3.8.1/img/o365-user-dashboard.png", "/package/o365/3.8.1/img/permission_type.png", "/package/o365/3.8.1/img/required_permission.png", "/package/o365/3.8.1/img/select_management_api.png", "/package/o365/3.8.1/img/value.png", "/package/o365/3.8.1/kibana/tags.yml", "/package/o365/3.8.1/data_stream/audit/manifest.yml", "/package/o365/3.8.1/data_stream/audit/sample_event.json", "/package/o365/3.8.1/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json", "/package/o365/3.8.1/kibana/dashboard/o365-b318fde9-a0fa-4b57-8fd1-2f8e9f5ed6f0.json", "/package/o365/3.8.1/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json", "/package/o365/3.8.1/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json", "/package/o365/3.8.1/data_stream/audit/fields/agent.yml", "/package/o365/3.8.1/data_stream/audit/fields/base-fields.yml", "/package/o365/3.8.1/data_stream/audit/fields/beats.yml", "/package/o365/3.8.1/data_stream/audit/fields/ecs-extended.yml", "/package/o365/3.8.1/data_stream/audit/fields/fields.yml", "/package/o365/3.8.1/data_stream/audit/agent/stream/cel.yml.hbs", "/package/o365/3.8.1/data_stream/audit/agent/stream/o365audit.yml.hbs", "/package/o365/3.8.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "o365", "title": "Office 365 logs", "description": "Collect logs from Office 365", "inputs": [ { "type": "cel", "title": "Collect audit logs", "description": "Collect audit logs using the Management Activity API" }, { "type": "o365audit", "title": "DEPRECATED - Collect audit logs", "description": "Please deactivate this option and instead use the one described above. This option collects audit logs using the Management Activity API through a deprecated method." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "o365.audit", "title": "Microsoft Office 365 audit logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "url", "type": "text", "title": "Base URL of Office Management API", "multi": false, "required": false, "show_user": true, "default": "https://manage.office.com" }, { "name": "interval", "type": "text", "title": "Interval", "description": "How often the API is polled, supports seconds, minutes and hours.", "multi": false, "required": true, "show_user": true, "default": "3m" }, { "name": "azure_tenant_id", "type": "text", "title": "Directory (tenant) ID", "description": "Directory (tenant) ID", "multi": false, "required": true, "show_user": true }, { "name": "client_id", "type": "text", "title": "Application (client) ID", "description": "Client ID used for OAuth 2.0 authentication", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client secret used for OAuth 2.0 authentication", "multi": false, "required": true, "show_user": true }, { "name": "token_url", "type": "text", "title": "OAuth 2.0 Token URL", "description": "Base URL endpoint that will be used to generate the tokens during the OAuth 2.0 flow. If not provided, above `Azure Tenant ID` will be used for OAuth 2.0 token generation. Default value - `https://login.microsoftonline.com`", "multi": false, "required": false, "show_user": true, "default": "https://login.microsoftonline.com" }, { "name": "token_scopes", "type": "text", "title": "Token Scopes", "description": "Scopes for OAuth 2.0 token.", "multi": true, "required": true, "show_user": false, "default": [ "https://manage.office.com/.default" ] }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Endpoint Params used for OAuth2 authentication as YAML. See [documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel#_auth_oauth2_endpoint_params) for details.", "multi": false, "required": true, "show_user": false, "default": "grant_type: client_credentials\n" }, { "name": "content_types", "type": "text", "title": "Content Type", "description": "Comma separated list of content types to fetch from Management API.\nSupported content types are - `Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All`.\n\nMore information can be found in the [documentation](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api).", "multi": false, "required": true, "show_user": true, "default": "Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval for the first API call. Default starts fetching events from 167h55m, i.e., 7 days ago, and must not go further back than that. Supports following suffixes - \"h\" (hour), \"m\" (minute), \"s\" (second), \"ms\" (millisecond), \"us\" (microsecond), and \"ns\" (nanosecond)", "multi": false, "required": true, "show_user": true, "default": "167h55m" }, { "name": "batch_interval", "type": "text", "title": "Batch Interval", "description": "Interval for each API request. The default fetches a single hour of events for each request. This value may not be more than 24h. Supports following suffixes - \"h\" (hour), \"m\" (minute), \"s\" (second), \"ms\" (millisecond), \"us\" (microsecond), and \"ns\" (nanosecond)", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "max_executions", "type": "integer", "title": "Maximum Executions Per Interval", "description": "Maximum Executions Per Interval is the maximum number of executions that can be performed without waiting for the interval time.", "multi": false, "required": false, "show_user": false, "default": 10000 }, { "name": "maximum_age", "type": "text", "title": "Maximum Age", "description": "A hard maximum age limit for data that can be requested. It defaults to 5 mins less than the API's documented limit but may be shortened as a workaround for errors related to expired data. Supports following suffixes - \"h\" (hour), \"m\" (minute), \"s\" (second), \"ms\" (millisecond), \"us\" (microsecond), and \"ns\" (nanosecond)", "multi": false, "required": true, "show_user": false, "default": "167h55m" }, { "name": "resource_ssl", "type": "yaml", "title": "Resource SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc, more examples found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config)", "multi": false, "required": false, "show_user": false }, { "name": "resource_timeout", "type": "text", "title": "Resource Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. Default is \"30\"s.", "multi": false, "required": false, "show_user": false, "default": "60s" }, { "name": "resource_proxy_url", "type": "text", "title": "Resource Proxy", "description": "This specifies proxy configuration in the form of `http[s]://:@:`.", "multi": false, "required": false, "show_user": false }, { "name": "resource_retry_max_attempts", "type": "text", "title": "Resource Retry Max Attempts", "description": "Maximum number of retries for the HTTP client. Default is \"5\".", "multi": false, "required": false, "show_user": false }, { "name": "resource_retry_wait_min", "type": "text", "title": "Resource Retry Wait Min", "description": "Minimum time to wait before a retry is attempted. Default is \"1s\".", "multi": false, "required": false, "show_user": false }, { "name": "resource_retry_wait_max", "type": "text", "title": "Resource Retry Wait Max", "description": "Maximum time to wait before a retry is attempted. Default is \"60s\".", "multi": false, "required": false, "show_user": false }, { "name": "resource_redirect_forward_headers", "type": "bool", "title": "Resource Redirect Forward Headers", "description": "If set to true resource headers are forwarded in case of a redirect. Default is \"false\".", "multi": false, "required": false, "show_user": false }, { "name": "resource_redirect_headers_ban_list", "type": "text", "title": "Resource Redirect Headers Ban List", "description": "If \"Redirect Forward Headers\" is set to true, all headers except the ones defined in this list will be forwarded. All headers are forwarded by default.", "multi": true, "required": false, "show_user": false }, { "name": "resource_redirect_max_redirects", "type": "text", "title": "Resource Redirect Max Redirects", "description": "Maximum number of redirects to follow for a resource. Default is \"10\".", "multi": false, "required": false, "show_user": false }, { "name": "resource_rate_limit_limit", "type": "text", "title": "Resource Rate Limit", "description": "Value of the response that specifies the total limit.", "multi": false, "required": false, "show_user": false }, { "name": "resource_rate_limit_burst", "type": "text", "title": "Resource Rate Limit Burst", "description": "The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded", "o365-cel" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false } ], "template_path": "cel.yml.hbs", "title": "Collect audit logs", "description": "Collects audit logs using the Management Activity API", "enabled": true, "ingestion_method": "API" }, { "input": "o365audit", "vars": [ { "name": "application_id", "type": "text", "title": "Application (client) ID", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client secret (API key)", "multi": false, "required": false, "show_user": true }, { "name": "certificate", "type": "text", "title": "Path to certificate file", "multi": false, "required": false, "show_user": true }, { "name": "key", "type": "text", "title": "Path to private key file", "multi": false, "required": false, "show_user": true }, { "name": "key_passphrase", "type": "password", "title": "Private key passphrase", "multi": false, "required": false, "show_user": true }, { "name": "tenants", "type": "text", "title": "Directory (tenant) IDs", "multi": true, "required": true, "show_user": true, "default": [ "tenant-id" ] }, { "name": "tenant_names", "type": "text", "title": "Directory (tenant) domains mapping", "multi": true, "required": true, "show_user": true, "default": [ "tenant-id: domain-name" ] }, { "name": "content_type", "type": "text", "title": "Content types", "multi": true, "required": true, "show_user": true, "default": [ "Audit.AzureActiveDirectory", "Audit.Exchange", "Audit.SharePoint", "Audit.General", "DLP.All" ] }, { "name": "api", "type": "yaml", "title": "Advanced API settings", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "o365-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false, "default": "#- add_fields:\n# target: foo\n# fields:\n# bar: baz" } ], "template_path": "o365audit.yml.hbs", "title": "DEPRECATED - Collect audit logs", "description": "Please deactivate this option and instead use the one described above. This option collects audit logs using the Management Activity API through a deprecated method.", "enabled": false, "ingestion_method": "API" } ], "package": "o365", "elasticsearch": { "index_template.settings": { "index": { "mapping": { "total_fields": { "limit": 2000 } } } }, "ingest_pipeline.name": "default" }, "path": "audit" } ] }