Microsoft Filebeat Module


I am using the Filebeat O365 module across a bunch of Azure AD tenants with great success.

I am looking to onboard Microsoft Defender for Business and as such I'd like to ingest the Windows Defender events and I can see that the Microsoft Filebeat module will do just that!

However, there seems to be a problem here. With the O365 module I can specify a list of tenants and I am using a certificate to connect to the app instead of an OAuth2 token.

It looks like the Microsoft module is forcing the use of an OAuth2 token which means that I need to create an individual App per tenant and generate an OAuth2 token per app. OK I can do that, however, the Microsoft module does not seem to have any way for me to connect to multiple Azure AD tenants?

I thought well maybe I am supposed to define a config for the Microsoft module multiple times, once for each tenant but upon investigation I can see people saying that only the final module configuration is used!!!!

So does that mean it is not even possible to ingest the Windows defender events from multiple tenants?

Hi @John_Doe4

You could run multiple Filebeat instances and query one tenant per instance.


Thanks, although if possible I’d like to avoid having to configure and maintain 35 different instances of filebeat.

I am guessing I may have to change to Splunk for my needs?

Well that is your choice of course. If you got the money... Is there already a GitHub issue for this problem by the way? Without GH isssue it ain't going to be solved.

I couldn't even find the microsoft module in the beats on github. A thought I had was to clone the microsoft module and rename it 35 times, so essentially creating 35 unique modules.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.