-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathXDR_Collector_Exchange_Msg_Tracking
More file actions
24 lines (23 loc) · 1.03 KB
/
XDR_Collector_Exchange_Msg_Tracking
File metadata and controls
24 lines (23 loc) · 1.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
filebeat.inputs:
- type: filestream
enabled: true
paths:
- C:\MessageTracking\*.LOG
processors:
- dissect:
tokenizer: "%{date-time},%{client-ip},%{client-hostname},%{server-ip},%{server-hostname},\"%{source-context}\",%{connector-id},%{source},%{event-id},%{internal-message-id},%{message-id},%{network-message-id},%{recipient-address},%{recipient-status},%{total-bytes|integer},%{recipient-count|integer},%{related-recipient-address},%{reference},%{message-subject},%{sender-address},%{return-path},%{message-info},%{directionality},%{tenant-id},%{original-client-ip},%{original-server-ip},%{custom-data},%{transport-traffic-type},%{log-id},%{schema-version}"
field: "message"
- add_fields:
fields:
vendor: Microsoft
product: Exchange
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_tags:
tags: [microsoft_exchange]
target: "xdr_log_type"