feat(o365-plugin): add multi-cloud environment support for Microsoft Cloud (Commercial, GCC, GCC High, DoD)

Author: JocLRojas

plugins/o365/go.mod

@@ -5,7 +5,8 @@ go 1.24.2
 require (
 	github.com/google/uuid v1.6.0
 	github.com/threatwinds/go-sdk v1.0.43
-	github.com/utmstack/config-client-go v1.2.7
+	google.golang.org/grpc v1.74.2
+	google.golang.org/protobuf v1.36.6
 )
 
 require (
@@ -45,8 +46,6 @@ require (
 	golang.org/x/text v0.27.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250721164621-a45f3dfb1074 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 // indirect
-	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.5.0 // indirect
 )

plugins/o365/go.sum

@@ -93,8 +93,6 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/utmstack/config-client-go v1.2.7 h1:JeRdI5JjH1liNzMW3LmyevjuPd67J/yt9MAO3+oJAuM=
-github.com/utmstack/config-client-go v1.2.7/go.mod h1:kM0KoUizM9ZlcQp0qKviGTWn/+anT5Rfjx3zfZk79nM=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=

plugins/o365/main.go

@@ -17,31 +17,56 @@ import (
 	"github.com/utmstack/UTMStack/plugins/o365/config"
 )
 
+type CloudEnvironment string
+
 const (
-	loginUrl                  = "https://login.microsoftonline.com/"
-	GRANTTYPE                 = "client_credentials"
-	SCOPE                     = "https://manage.office.com/.default"
-	endPointLogin             = "/oauth2/v2.0/token"
-	endPointStartSubscription = "/activity/feed/subscriptions/start"
-	endPointContent           = "/activity/feed/subscriptions/content"
-	BASEURL                   = "https://manage.office.com/api/v1.0/"
-	DefaultTenant             = "ce66672c-e36d-4761-a8c8-90058fee1a24"
+	GRANTTYPE                                  = "client_credentials"
+	endPointLogin                              = "/oauth2/v2.0/token"
+	endPointStartSubscription                  = "/activity/feed/subscriptions/start"
+	endPointContent                            = "/activity/feed/subscriptions/content"
+	DefaultTenant                              = "ce66672c-e36d-4761-a8c8-90058fee1a24"
+	apiVersion                                 = "api/v1.0/"
+	CloudCommercial           CloudEnvironment = "Commercial"
+	CloudGCC                  CloudEnvironment = "GCC"
+	CloudGCCHigh              CloudEnvironment = "GCCHigh"
+	CloudDoD                  CloudEnvironment = "DoD"
 )
 
-func GetMicrosoftLoginLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", loginUrl, tenant, endPointLogin)
-}
-
-func GetStartSubscriptionLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", BASEURL, tenant, endPointStartSubscription)
+type CloudConfig struct {
+	LoginAuthority     string
+	ManagementEndpoint string
+	Scope              string
 }
 
-func GetContentLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", BASEURL, tenant, endPointContent)
-}
+func GetCloudConfig(env CloudEnvironment) CloudConfig {
+	configs := map[CloudEnvironment]CloudConfig{
+		CloudCommercial: {
+			LoginAuthority:     "https://login.microsoftonline.com/",
+			ManagementEndpoint: "https://manage.office.com/",
+			Scope:              "https://manage.office.com/.default",
+		},
+		CloudGCC: {
+			LoginAuthority:     "https://login.microsoftonline.com/",
+			ManagementEndpoint: "https://manage-gcc.office.com/",
+			Scope:              "https://manage-gcc.office.com/.default",
+		},
+		CloudGCCHigh: {
+			LoginAuthority:     "https://login.microsoftonline.us/",
+			ManagementEndpoint: "https://manage.office365.us/",
+			Scope:              "https://manage.office365.us/.default",
+		},
+		CloudDoD: {
+			LoginAuthority:     "https://login.microsoftonline.us/",
+			ManagementEndpoint: "https://manage.protection.apps.mil/",
+			Scope:              "https://manage.protection.apps.mil/.default",
+		},
+	}
 
-func GetTenantId() string {
-	return DefaultTenant
+	config, exists := configs[env]
+	if !exists {
+		return configs[CloudCommercial]
+	}
+	return config
 }
 
 func main() {
@@ -65,7 +90,8 @@ func main() {
 	for range ticker.C {
 		endTime := time.Now().UTC()
 
-		if err := ConnectionChecker(loginUrl); err != nil {
+		defaultConfig := GetCloudConfig(CloudCommercial)
+		if err := ConnectionChecker(defaultConfig.LoginAuthority); err != nil {
 			_ = catcher.Error("External connection failure detected: %v", err, nil)
 		}
 
@@ -117,7 +143,7 @@ func pull(startTime time.Time, endTime time.Time, group *config.ModuleGroup) {
 	for _, log := range logs {
 		plugins.EnqueueLog(&plugins.Log{
 			Id:         uuid.New().String(),
-			TenantId:   GetTenantId(),
+			TenantId:   agent.TenantId,
 			DataType:   "o365",
 			DataSource: group.GroupName,
 			Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
@@ -127,11 +153,13 @@ func pull(startTime time.Time, endTime time.Time, group *config.ModuleGroup) {
 }
 
 type OfficeProcessor struct {
-	Credentials   MicrosoftLoginResponse
-	TenantId      string
-	ClientId      string
-	ClientSecret  string
-	Subscriptions []string
+	Credentials      MicrosoftLoginResponse
+	TenantId         string
+	ClientId         string
+	ClientSecret     string
+	Subscriptions    []string
+	CloudEnvironment CloudEnvironment
+	CloudConfig      CloudConfig
 }
 
 type MicrosoftLoginResponse struct {
@@ -162,7 +190,10 @@ type ContentList struct {
 type ContentDetailsResponse []map[string]any
 
 func GetOfficeProcessor(group *config.ModuleGroup) OfficeProcessor {
-	offProc := OfficeProcessor{}
+	offProc := OfficeProcessor{
+		CloudEnvironment: CloudCommercial,
+	}
+
 	for _, cnf := range group.ModuleGroupConfigurations {
 		switch cnf.ConfKey {
 		case "office365_client_id":
@@ -171,27 +202,34 @@ func GetOfficeProcessor(group *config.ModuleGroup) OfficeProcessor {
 			offProc.ClientSecret = cnf.ConfValue
 		case "office365_tenant_id":
 			offProc.TenantId = cnf.ConfValue
+		case "office365_cloud_environment":
+			if cnf.ConfValue != "" {
+				offProc.CloudEnvironment = CloudEnvironment(cnf.ConfValue)
+			}
 		}
 	}
 
-	offProc.Subscriptions = append(offProc.Subscriptions, []string{
+	offProc.CloudConfig = GetCloudConfig(offProc.CloudEnvironment)
+
+	offProc.Subscriptions = []string{
 		"Audit.AzureActiveDirectory",
 		"Audit.Exchange",
 		"Audit.General",
 		"DLP.All",
-		"Audit.SharePoint"}...)
+		"Audit.SharePoint",
+	}
 
 	return offProc
 }
 
 func (o *OfficeProcessor) GetAuth() error {
-	requestUrl := GetMicrosoftLoginLink(o.TenantId)
+	requestUrl := fmt.Sprintf("%s%s%s", o.CloudConfig.LoginAuthority, o.TenantId, endPointLogin)
 
 	data := url.Values{}
 	data.Set("grant_type", GRANTTYPE)
 	data.Set("client_id", o.ClientId)
 	data.Set("client_secret", o.ClientSecret)
-	data.Set("scope", SCOPE)
+	data.Set("scope", o.CloudConfig.Scope)
 
 	headers := map[string]string{
 		"Content-Type": "application/x-www-form-urlencoded",
@@ -230,7 +268,12 @@ func (o *OfficeProcessor) GetAuth() error {
 
 func (o *OfficeProcessor) StartSubscriptions() error {
 	for _, subscription := range o.Subscriptions {
-		link := GetStartSubscriptionLink(o.TenantId) + "?contentType=" + subscription
+		link := fmt.Sprintf("%s%s%s%s?contentType=%s",
+			o.CloudConfig.ManagementEndpoint,
+			apiVersion,
+			o.TenantId,
+			endPointStartSubscription,
+			subscription)
 		headers := map[string]string{
 			"Content-Type":  "application/json",
 			"Authorization": fmt.Sprintf("%s %s", o.Credentials.TokenType, o.Credentials.AccessToken),
@@ -277,7 +320,11 @@ func (o *OfficeProcessor) StartSubscriptions() error {
 }
 
 func (o *OfficeProcessor) GetContentList(subscription string, startTime time.Time, endTime time.Time) ([]ContentList, error) {
-	link := GetContentLink(o.TenantId) + fmt.Sprintf("?startTime=%s&endTime=%s&contentType=%s",
+	link := fmt.Sprintf("%s%s%s%s?startTime=%s&endTime=%s&contentType=%s",
+		o.CloudConfig.ManagementEndpoint,
+		apiVersion,
+		o.TenantId,
+		endPointContent,
 		startTime.UTC().Format("2006-01-02T15:04:05"),
 		endTime.UTC().Format("2006-01-02T15:04:05"),
 		subscription)