Filebeat Module O365 API URI?

I am trying to get some support from Microsoft because I am not seeing all the login data I see in the Azure AD Console via the O365 Module. They would like to know what URI the module is using for API calls and I am not seeing it listed, other than generically using manage.office.com.

Is that something someone could point me to, so I can use a Powershell script to test the audit data?

Much appreciated.

I kind of feel like this forum is kind of dead? Am I asking dumb questions, or is this where all my questions go to die?

Hello,

Some questions get more traction than others for different reasons.

But to answer your question, the O365 Module uses the Office 365 Management Activity API, which from Microsoft documentation uses the manage.office.com, that you already knew.

The module documentation also refers to the same endpoint, if you do not edit those configuration in your module it will use the default endpoint which is also manage.office.com, you can check it in the code.

So, the O365 uses the manage.office.com endpoint to collect data, there is no other URL for the API.

If you want to check further, the code for the input is here.

Thanks, I am sorry to be blunt, but I am trying to work with Microsoft to see why I am not getting all the login data via the Elastic Beat Module for O365. I used the Microsoft Management API and it is setup correctly from what I can see per documentation; however, I am missing out on Exchange Logins mostly.

Since we pay for support via them, I opened a ticket and wanted to see if they are shipping all relevant data and if I missed something on the oAuth App configure side. They would like me to get the API call URI so I can test output in Powershell, but I really do not know what you all are using. From your Code I guess I am not able to read it well enough.

I see this site from Microsoft:

Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://<YOUR_API_ENDPOINT>/api/v1.0/$tenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
So maybe this for Azure AD Audit? "https://manage.office.com/api/v1.0/$tenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory"

I'm not from Elastic, but looking into the code, it seems that the Request URL is built using the following function.

// RequestDecorators returns the decorators used to perform a request.
func (l listBlob) RequestDecorators() []autorest.PrepareDecorator {
	return []autorest.PrepareDecorator{
		autorest.WithBaseURL(l.env.Config.Resource),
		autorest.WithPath("api/v1.0"),
		autorest.WithPath(l.env.TenantID),
		autorest.WithPath("activity/feed/subscriptions/content"),
		autorest.WithQueryParameters(
			map[string]interface{}{
				"contentType": l.env.ContentType,
				"startTime":   l.startTime.Format(apiDateFormat),
				"endTime":     l.endTime.Format(apiDateFormat),
			}),
	}
}

So the API endpoint that Filebeat use would be:

https://manage.office.com/api/v1.0/YOUR-TENANT-ID/activity/feed/subscriptions/content?contentType=CONTENT-TYPE&startTime=START-TIME&endTime=END-TIME

The Content Type available are in this part of the code

		ContentType: []string{
			"Audit.AzureActiveDirectory",
			"Audit.Exchange",
			"Audit.SharePoint",
			"Audit.General",
			"DLP.All",
		}

So, the request created by filebeat is the same as the one in the microsoft troubleshooting page that you shared.

To query the Audit for Azure Active Directory for yesterday, you would need something like this:

 "https://manage.office.com/api/v1.0/YOUR-TENANT-ID/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&startTime=2022-01-09T00:00&endTime=2012-01-09T23:59"

Amazing! Thank you very much for the help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.