Elastic Beat for fetching and shipping Office 365 audit events
script processor and provided a sample processor script in o365beat.reference.yml to convert fields that contain arrays of name-value pairs into a "normal" object (closes #41)A significant release that updates documentation alongside the following:
ClientIP field formats (fixes #16 and #31)Updates processors to better handle certain log fields. Specifically, the API provides Parameters and ExtendedProperties fields as arrays of objects with just Name and Value keys, which is very confusing and difficult to work with, and causes issues with elasticsearch. This version stores those as strings, which can then be deserialized or parsed with string-based tools. Most importantly, it stops indexing errors and dropped events.
Fixes issue with vendor metadata that caused build error during make release.
This release bumps the underlying libbeat version to the latest available (7.4.0) and fixes a throttling issue that sometimes popped up when downloading content blobs.
This patch release updates the documentation to reflect the prerequisite of having Office 365 audit log search enabled, updates error messages, and fixes some version numbers that weren't updated in v1.3.0.
This release fixes a bug in the auto-subscription logic (see issue https://github.com/counteractive/o365beat/issues/4) that left some users unable to launch the beat without manually subscribing to content types using curl or Invoke-WebRequest (or similar).
Documentation is also updated based on some user feedback, otherwise the functionality is the same as v1.2.0.
Please open an issue or pull request if you notice any bugs or deficiencies, and contact us if you need assistance with o365beat, logging, security, IR, or any other services we offer. Thanks!
NOTE: This version does not properly auto-subscribe to the API feeds for content types. Please use v1.3.0 which corrects the bug, or subscribe to the feeds manually using curl or similar.
This version, v1.2.0, is our first non-alpha release! It includes updated documentation and new ECS field mapping processor in the default config file.
There is still a lot on the to-do list and probably more than a few bugs! Check the README, and please open an issue or submit a pull request if you notice any problems in testing or production.
Please note, there's still some weirdness with the version number in the build system: this version will still tag your events as "v7.2.0" (the libbeat release), I'm not confident the libbeat/custom beat tools and docs are current in this regard. That'll be fixed in the next version, and it shouldn't affect anything substantive.
This release of O365beat improves the build process: the instructions in the README should work for those who'd like to build and/or modify, and there are pre-built binaries for common platforms attached. It builds on the latest revision of libbeat which dropped the day after the first release, and pins that version in the build scripts. That's what accounts for the unusual version numbering in the pre-built binaries ... we'll sort that out before coming out of alpha.
As alpha software, it still does not have test coverage or documentation. Caveat emptor.