Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Meta] Module to ingest Office365 audit events #16196

Closed
6 of 18 tasks
adriansr opened this issue Feb 7, 2020 · 4 comments · Fixed by #16386
Closed
6 of 18 tasks

[Meta] Module to ingest Office365 audit events #16196

adriansr opened this issue Feb 7, 2020 · 4 comments · Fixed by #16386
Labels
meta module

Comments

@adriansr
Copy link
Contributor

adriansr commented Feb 7, 2020
edited by andrewkroh
Loading

Modules

For a metricset to go GA, the following criterias should be met:

  • Supported versions are documented
  • Supported operating systems are documented (if applicable)
  • Integration tests exist
  • System tests exist
  • Automated checks that all fields are documented
  • Documentation
  • Fields follow ECS and naming conventions
  • Dashboards exists (if applicable)
  • Kibana Home Tutorial (if applicable)
    • Open PR against Kibana repo with tutorial. Examples can be found here.

Filebeat module

  • Test log files exist for the grok patterns
  • Generated output for at least 1 log file exists

Metricbeat module

  • Example data.json exists and an automated way to generate it exists (go test -data)
  • Test environment in Docker exist for integration tests
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@mbarretta
Copy link

All bits that flow from this issue need to support the configuration of alternative O365 endpoints: not all users are on the public cloud.

adriansr added a commit to adriansr/beats that referenced this issue Feb 11, 2020
@adriansr
[SIEM] New o365 input for Office 365 audit logs
a7dc6b5 
This input uses Microsoft's Office 365 Management API to fetch audit
events.

Relates elastic#16196
@adriansr
Copy link
Contributor Author

@mbarretta I think that is supported in the current input draft, it allows to configure a custom authentication endpoint (default https://login.microsoftonline.com/) and custom "resource"/API endpoint (default https://manage.office.com), but I'd like it to have it validated before release.

@philippkahr
Copy link
Contributor

I also wanted to point out that the Office365 audit logs do not contain any azure ad sign-in logs. For that, you need to talk either to a Microsoft Azure Event Hub, a storage pool, or the Microsoft logs monitor logs Microsoft Docs for Azure AD Log streaming.

I do not know if it would make sense to add this in this module or to move it to the Azure module. Just wanted to throw it in here :)

@adriansr adriansr mentioned this issue Feb 18, 2020
Merged
5 tasks
adriansr added a commit to adriansr/beats that referenced this issue Mar 3, 2020
@adriansr
[SIEM] New o365 input for Office 365 audit logs
5150c54 
This input uses Microsoft's Office 365 Management API to fetch audit
events.

Relates elastic#16196
adriansr added a commit that referenced this issue Mar 5, 2020
@adriansr
New input for Office 365 audit logs (#16244)
ed80900 
This input uses Microsoft's Office 365 Management API to fetch audit
events.

Relates to #16196
adriansr added a commit to adriansr/beats that referenced this issue Mar 19, 2020
@adriansr
New input for Office 365 audit logs (elastic#16244)
12c5ab4 
This input uses Microsoft's Office 365 Management API to fetch audit
events.

Relates to elastic#16196

(cherry picked from commit ed80900)
adriansr added a commit that referenced this issue Mar 20, 2020
@adriansr
Cherry-pick #16244 to 7.x: New input for Office 365 audit logs (#17109)
d35ca4f 
This input uses Microsoft's Office 365 Management API to fetch audit
events.

Relates to #16196

(cherry picked from commit ed80900)
@adriansr adriansr mentioned this issue Mar 20, 2020
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
meta module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SIEM] Office 365 module adriansr/beats
4 participants
@mbarretta @philippkahr @adriansr @elasticmachine