You need to log in to create posts and topics.

o365beat for Windows

O365beat is an open source log shipper used to fetch Office 365 audit logs from the Office 365 Management Activity API and forward them with all the flexibility and capability provided by the beats platform (specifically, libbeat).


Prerequisites and Permissions:

O365beat requires that you enable audit log search for your Office 365 tenancy, done through the Security and Compliance Center in the Office 365 Admin Portal. If you want detailed Exchange events, you also have to enable mailbox auditing (on by default since January 2019, but worth checking).

It also needs access to the Office 365 Management API: instructions for setting this up are available in the Microsoft documentation.

Once you have these set up, you'll be able to get the information needed in the config file. The naming conventions for the settings are a bit odd, in o365beat.yml you’ll see some of the synonyms: client id is also called the application id, and the directory id is also called the tenant id. In the Azure portal, go to "App registrations" and you’ll see the Application (Client) ID – a GUID – right there in the application list. If you click on that you’ll see the application (client) id and the directory (tenant) id in the top area.


The client secret is a little trickier, you can create them by clicking the "Certificates & secrets" link on the left there. Be sure to copy it somewhere or you’ll have to create a new one … there’s no facility for viewing them later. The default config file expects these config values to be in your environment (i.e., as environment variables), named O365BEAT_TENANT_DOMAIN, O365BEAT_CLIENT_SECRET, etc. You can hard-code them in that file if you like, especially when testing, just be smart about the permissions.

Finally, the Azure app registration permissions should look like this:

App Permissions in Azure Portal

You can edit those using that “API permissions” link on the left, with more detailed instructions available from Microsoft. The beat should automatically subscribe you to the right feeds, though that functionality is currently undergoing testing.


Installing and Running:

  1. Download the o365beat.


2. Extract the contents of the zip file into C:\Program Files.


3. Rename the o365beat-1.4.3-windows-x86_64 directory in C:\Program Files to o365beat.


4. Open a PowerShell prompt as administrator and cd into C:\Program Files.

Tip: Right-click on the PowerShell icon and select "Run as Administrator".


5. Set the execution policy to be able to run the execution script. Cd into the filebeat folder and run the following script:

          PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

The script is case sensitive


6. Configure the o365beat.yml  file with the correct credentials.

Tip: The easiest way to do this is to open the file up in a code editor such as Visual Studio Code.

o365beat Inputs Section:

tenant_domain: ${O365BEAT_TENANT_DOMAIN:your tenant domain here}
client_secret: ${O365BEAT_CLIENT_SECRET:your client secret here}
client_id:     ${O365BEAT_CLIENT_ID:your client id here}     # aka application id (GUID)
directory_id:  ${O365BEAT_DIRECTORY_ID:your directory id here}  # aka tenant id (GUID)
registry_file_path: ${O365BEAT_REGISTRY_PATH:./o365beat-registry.json}
    - Audit.AzureActiveDirectory
    - Audit.Exchange
    - Audit.SharePoint
    - Audit.General


Kibana Section:

#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"
  host: ""
  username: "Vizion Username"
  password: "Vision Password"


Elasticsearch Output Section:

#-------------------------- Elasticsearch output ------------------------------
# Array of hosts to connect to.
hosts: ["Elasticsearch API Endpoint"]
index: "o365beat-%{+yyyy.MM.dd}" "o365beat"
setup.template.pattern: "o365beat-*"


7. In PowerShell, run the program in the foreground to make sure it is setup correctly. Look for any error messages.

.\o365beat.exe -c o365beat.yml -e -d "*"

This will run the beat in the terminal and will continually display any logs being added in real-time. Use CTRL-C to terminate the foreground process.


8. Test that Filebeat has been installed as a service:

service filebeat

Tip: If installed correctly, the terminal will display the Status, Name, and DisplayName.


9. Start the o365beat service as a background process:

start-service o365beat

Logs should already start appearing in the Discover tab within seconds. You may need to log into your o365 account and create a new file to test it out if nothing is showing up. 


10. In the Discover tab of the Kibana dashboard, create an index to display the logs.

Inputting o365beat-* should match the incoming beats from o365. Click "next" to continue setting up the index with the desired configuration. Upon completion, the logs from should start displaying in real-time as they are created.

Tip: the Refresh Interval may need to be modified to a shorter time span to see incoming the logs appear.