Add YAML configs to replace cmd line args

Add YAML config. Refactor Collector

ConfigExamples/fileOutput.yaml

@@ -0,0 +1,17 @@
+log:
+  path: 'collector.log'
+collect:
+  contentTypes:
+    Audit.General: True
+    Audit.AzureActiveDirectory: True
+    Audit.Exchange: True
+    Audit.SharePoint: True
+    DLP.All: True
+  autoSubscribe: True
+  skipKnownLogs: True
+  resume: True
+  hoursToCollect: 24
+output:
+  file:
+    enabled: True
+    path: 'output.txt'

ConfigExamples/filteredFileOutput.yaml

@@ -0,0 +1,27 @@
+log:
+  path: 'collector.log'
+collect:
+  contentTypes:
+    Audit.General: True
+    Audit.AzureActiveDirectory: True
+    Audit.Exchange: True
+    Audit.SharePoint: True
+    DLP.All: True
+  autoSubscribe: True
+  skipKnownLogs: True
+  resume: True
+  hoursToCollect: 24
+# Collect logs concerning spoofing prevention in Audit.General, deleted files from Audit.SharePoint
+# and login failures from Audit.AzureActiveDirectory
+filter:
+  Audit.General:
+    - Policy: Spoof
+  Audit.AzureActiveDirectory:
+    - Operation: UserLoginFailed
+  Audit.SharePoint:
+    - Operation: FileDeleted
+# Output only to file
+output:
+  file:
+    enabled: True
+    path: 'output.txt'

ConfigExamples/graylog.yaml

@@ -0,0 +1,18 @@
+log:
+  path: 'collector.log'
+collect:
+  contentTypes:
+    Audit.General: True
+    Audit.AzureActiveDirectory: True
+    Audit.Exchange: True
+    Audit.SharePoint: True
+    DLP.All: True
+  autoSubscribe: True
+  skipKnownLogs: True
+  resume: True
+  hoursToCollect: 24
+output:
+  graylog:
+    enabled: False
+    address: 172.16.1.1
+    port: 5000

ConfigExamples/prtg.yaml

@@ -0,0 +1,31 @@
+log:
+  path: 'collector.log'
+collect:
+  contentTypes:
+    Audit.General: True
+    Audit.AzureActiveDirectory: True
+    Audit.Exchange: True
+    Audit.SharePoint: True
+    DLP.All: True
+  autoSubscribe: True
+  skipKnownLogs: True
+  resume: False  # Take all logs each time to count the number of active filter hits each interval
+  hoursToCollect: 1  # Period over which to alert, e.g. failed AAD logins over the last hour
+# The PRTG output defines channels which have filters associated to them. The output of the channel will be
+# the number of hits on the filter. E.g. filter for failed AAD logins on a "Failed AAD logins" channel.
+output:
+  prtg:
+    enabled: True
+    channels:
+    - name: Deleted Sharepoint files
+      filters:
+        Audit.SharePoint:
+        - Operation: FileDeleted
+    - name: Failed Azure AD logins
+      filters:
+        Audit.AzureActiveDirectory:
+        - Operation: UserLoginFailed
+    - name: Spoof attempts prevented
+      filters:
+        Audit.General:
+        - Policy: Spoof

Source/ApiConnection.py

@@ -6,7 +6,7 @@
 
 class ApiConnection(object):
 
-    def __init__(self, tenant_id=None, client_key=None, secret_key=None, publisher_id=None):
+    def __init__(self, tenant_id=None, client_key=None, secret_key=None, publisher_id=None, **kwargs):
         """
         Object that creates the authorization headers for- and sends API requests to the Microsoft Office APIs'.
         Taken from a Microsoft sample script that I cannot find the original of to reference.
@@ -43,7 +43,8 @@ def login(self):
             self.client_key, urllib.parse.quote(self.secret_key), resource)
         r = requests.post(auth_url, headers=headers, data=data, verify=True)
         resp = r.json()
-
+        if not self.publisher_id:
+            self.publisher_id = self.tenant_id
         try:
             headers['Authorization'] = 'bearer ' + resp['access_token']
             logging.log(level=logging.DEBUG, msg='Logged in')