search

counteractive / o365beat

Elastic Beat for fetching and shipping Office 365 audit events
Other
66 stars 27 forks source link

o365 audit.exchange not returning threat audit logs #46

Closed CustosClarus closed 4 years ago

CustosClarus commented 4 years ago

Lately, I have got a requirement from customer to integrate 0365 audit logs (exchange included) into elasticsearch.

All was getting fine, until i couldn't logs related to e3 o365 subscription (exchange online-p2 plan) which has inbuilt-threat detection and block for spoofing, malware and url scanning.

None of those events are coming to exchange beside the admin audit activities of exchange related to use of cmdlets.

I want to know, is this the limitation of code or microsoft itself. Thanks.

regards asad

chris-counteractive commented 4 years ago

Great question - we definitely get ATP logs through the API subscriptions in the beat, though it looks like E3 doesn't support those events. Per the documentation:

"Office 365 Advanced Threat Protection (ATP) and Threat Investigation and Response events are available for Office 365 customers who have an Office 365 Advanced Threat Protection Plan 1, Office 365 Advanced Threat Protection Plan 2, or an E5 subscription"

As far as I can tell there's no technical limitation, the beat is checking the right API endpoints, so long as you subscribe to the right feeds (which are enabled by default in the beat config). If you find out differently, please let me know and I'll happily re-open the issue.

CustosClarus commented 4 years ago

Hi Chris,

Thanks for the kind message and apologies for the late reply, was busy due to religious duties need to be performed in holy month of Ramadan.

The thing is with E3/ P2 EOL plan there is builtin-threat intelligence data related to exchange security services (spoofing, malware, url) all those events would be seen on azure dashboard in "security and compliance" but not exported.

So, using remote PowerShell (exchange) and dumped those records with cmdlets under "atp" sub-category. Once downloaded they were ingested back to elastic-pipeline through beats/LS combination.

I think this is inherent design limitation where these events are not pulled out or lies in scope of o365 api which your script manages or taps.

regards Asad

On Sun, May 17, 2020 at 2:16 AM Chris Hendricks notifications@github.com wrote:

Great question - we definitely get ATP logs through the API subscriptions in the beat, though it looks like E3 doesn't support those events. Per the documentation https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#office-365-advanced-threat-protection-and-threat-investigation-and-response-schema :

"Office 365 Advanced Threat Protection (ATP) and Threat Investigation and Response events are available for Office 365 customers who have an Office 365 Advanced Threat Protection Plan 1, Office 365 Advanced Threat Protection Plan 2, or an E5 subscription"

As far as I can tell there's no technical limitation, the beat is checking the right API endpoints, so long as you subscribe to the right feeds (which are enabled by default in the beat config). If you find out differently, please let me know and I'll happily re-open the issue.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/counteractive/o365beat/issues/46#issuecomment-629706707, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3KZGVGAA3P3ICCXUOYEB3RR37DJANCNFSM4M7FZIGQ .

chris-counteractive commented 4 years ago

Asad - thank you for the follow-up, this is helpful to know. As you suggest, these events are likely not part of the Office 365 Management Activities API, and thus outside the scope of the beat. If there were a non-powershell, API-driven way of getting the events you pulled I'd be happy to add that feature to the beat to check those endpoints as well. I'll keep an eye out. Thanks again!