Hi,
I am using the Filebeat O365 module across a bunch of Azure AD tenants with great success.
I am looking to onboard Microsoft Defender for Business and as such I'd like to ingest the Windows Defender events and I can see that the Microsoft Filebeat module will do just that!
However, there seems to be a problem here. With the O365 module I can specify a list of tenants and I am using a certificate to connect to the app instead of an OAuth2 token.
It looks like the Microsoft module is forcing the use of an OAuth2 token which means that I need to create an individual App per tenant and generate an OAuth2 token per app. OK I can do that, however, the Microsoft module does not seem to have any way for me to connect to multiple Azure AD tenants?
I thought well maybe I am supposed to define a config for the Microsoft module multiple times, once for each tenant but upon investigation I can see people saying that only the final module configuration is used!!!!
So does that mean it is not even possible to ingest the Windows defender events from multiple tenants?