{ "name": "m365_defender", "title": "Microsoft Defender XDR", "version": "5.0.1", "release": "ga", "description": "Collect logs from Microsoft Defender XDR with Elastic Agent.", "type": "integration", "download": "/epr/m365_defender/m365_defender-5.0.1.zip", "path": "/package/m365_defender/5.0.1", "icons": [ { "src": "/img/logo.svg", "path": "/package/m365_defender/5.0.1/img/logo.svg", "title": "M365 logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ^9.1.4" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr", "vulnerability_workflow" ], "signature_path": "/epr/m365_defender/m365_defender-5.0.1.zip.sig", "format_version": "3.4.0", "readme": "/package/m365_defender/5.0.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/m365-defender-alert.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-alert.png", "title": "Microsoft Defender XDR Alert Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-incidents.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-incidents.png", "title": "Microsoft Defender XDR (Incidents) Incidents Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-events-alerts1.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-events-alerts1.png", "title": "Microsoft Defender XDR (Events) Alerts Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-events-device1.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-events-device1.png", "title": "Microsoft Defender XDR (Events) Device Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-events-email1.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-events-email1.png", "title": "Microsoft Defender XDR (Events) Email Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-events-app1.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-events-app1.png", "title": "Microsoft Defender XDR (Events) App & Identity Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365-defender-vulnerability.png", "path": "/package/m365_defender/5.0.1/img/m365-defender-vulnerability.png", "title": "Microsoft Defender XDR Vulnerability", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/m365_defender/5.0.1/LICENSE.txt", "/package/m365_defender/5.0.1/changelog.yml", "/package/m365_defender/5.0.1/manifest.yml", "/package/m365_defender/5.0.1/validation.yml", "/package/m365_defender/5.0.1/docs/README.md", "/package/m365_defender/5.0.1/img/logo.svg", "/package/m365_defender/5.0.1/img/m365-defender-alert.png", "/package/m365_defender/5.0.1/img/m365-defender-events-alerts1.png", "/package/m365_defender/5.0.1/img/m365-defender-events-alerts2.png", "/package/m365_defender/5.0.1/img/m365-defender-events-app1.png", "/package/m365_defender/5.0.1/img/m365-defender-events-device1.png", "/package/m365_defender/5.0.1/img/m365-defender-events-device2.png", "/package/m365_defender/5.0.1/img/m365-defender-events-email1.png", "/package/m365_defender/5.0.1/img/m365-defender-incidents.png", "/package/m365_defender/5.0.1/img/m365-defender-vulnerability.png", "/package/m365_defender/5.0.1/kibana/tags.yml", "/package/m365_defender/5.0.1/data_stream/alert/manifest.yml", "/package/m365_defender/5.0.1/data_stream/alert/sample_event.json", "/package/m365_defender/5.0.1/data_stream/event/manifest.yml", "/package/m365_defender/5.0.1/data_stream/incident/manifest.yml", "/package/m365_defender/5.0.1/data_stream/incident/sample_event.json", "/package/m365_defender/5.0.1/data_stream/vulnerability/lifecycle.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/manifest.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/sample_event.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.0.1/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json", "/package/m365_defender/5.0.1/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.0.1/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.0.1/kibana/search/m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9.json", "/package/m365_defender/5.0.1/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.0.1/kibana/tag/m365_defender-security-solution-default.json", "/package/m365_defender/5.0.1/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json", "/package/m365_defender/5.0.1/data_stream/alert/fields/base-fields.yml", "/package/m365_defender/5.0.1/data_stream/alert/fields/beats.yml", "/package/m365_defender/5.0.1/data_stream/alert/fields/fields.yml", "/package/m365_defender/5.0.1/data_stream/event/fields/agent.yml", "/package/m365_defender/5.0.1/data_stream/event/fields/base-fields.yml", "/package/m365_defender/5.0.1/data_stream/event/fields/ecs-extended.yml", "/package/m365_defender/5.0.1/data_stream/event/fields/ecs.yml", "/package/m365_defender/5.0.1/data_stream/event/fields/fields.yml", "/package/m365_defender/5.0.1/data_stream/incident/fields/agent.yml", "/package/m365_defender/5.0.1/data_stream/incident/fields/base-fields.yml", "/package/m365_defender/5.0.1/data_stream/incident/fields/fields.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/base-fields.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/beats.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/ecs.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/fields.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/package.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/resource.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/fields/vulnerability.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml", "/package/m365_defender/5.0.1/data_stream/alert/agent/stream/httpjson.yml.hbs", "/package/m365_defender/5.0.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.0.1/data_stream/event/agent/stream/azure-eventhub.yml.hbs", "/package/m365_defender/5.0.1/data_stream/event/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.0.1/data_stream/event/elasticsearch/ingest_pipeline/pipeline_alert.yml", "/package/m365_defender/5.0.1/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml", "/package/m365_defender/5.0.1/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml", "/package/m365_defender/5.0.1/data_stream/event/elasticsearch/ingest_pipeline/pipeline_email.yml", "/package/m365_defender/5.0.1/data_stream/incident/agent/stream/httpjson.yml.hbs", "/package/m365_defender/5.0.1/data_stream/incident/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.0.1/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/m365_defender/5.0.1/data_stream/vulnerability/elasticsearch/ilm/default_policy.json", "/package/m365_defender/5.0.1/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml", "/package/m365_defender/5.0.1/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml" ], "policy_templates": [ { "name": "m365_defender", "title": "Microsoft Defender XDR Logs", "description": "Collect logs from Microsoft Defender XDR API", "inputs": [ { "type": "httpjson", "vars": [ { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login Server 'tenant-id and token endpoint added automatically'.", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "token_endpoint", "type": "text", "title": "OAuth Token endpoint", "description": "Microsoft supports multiple Oauth2 URL endpoints, the default is oauth2/v2.0/token, but can also be oauth2/token", "multi": false, "required": true, "show_user": false, "default": "oauth2/v2.0/token" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect logs from Microsoft Defender XDR API", "description": "Collect logs from Microsoft Defender XDR via API" }, { "type": "azure-eventhub", "title": "Collect logs from Azure Event Hub", "description": "Collect logs from Azure Event Hub" }, { "type": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "By default, the URL is set to `https://api.securitycenter.microsoft.com`. It is observed that Microsoft Defender XDR Base URL changes based on location so find your own base URL.", "multi": false, "required": true, "show_user": false, "default": "https://api.securitycenter.microsoft.com" }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for Azure AD application.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for Azure AD application.", "multi": false, "required": true, "show_user": true }, { "name": "azure_tenant_id", "type": "text", "title": "Azure Tenant ID", "description": "Tenant ID of the Azure.", "multi": false, "required": true, "show_user": true }, { "name": "token_url", "type": "text", "title": "Oauth2 Token URL", "description": "The Base URL endpoint that will be used to generate the tokens during the oauth2 flow. If not provided, above `Azure Tenant ID` will be used for oauth2 token generation.", "multi": false, "required": false, "show_user": true, "default": "https://login.microsoftonline.com" }, { "name": "token_scopes", "type": "text", "title": "Token Scopes", "description": "Defines the level of access granted to the API. This scope is required to authenticate and authorize API requests in Microsoft Defender XDR Vulnerability Management.", "multi": true, "required": true, "show_user": false, "default": [ "https://securitycenter.onmicrosoft.com/windowsatpservice/.default" ] }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect logs from Microsoft Defender for Endpoint API", "description": "Collecting logs via Microsoft Defender for Endpoint API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "m365_defender.alert", "title": "Collect Alert logs from Microsoft Microsoft Defender XDR", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "request_url", "type": "text", "title": "Request URL", "description": "URL of API endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://graph.microsoft.com" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the alerts from Microsoft Defender XDR. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Security Graph API V2. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Alert Security Graph API V2. The maximum supported batch size value is 2000.", "multi": false, "required": true, "show_user": false, "default": 2000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "include_unknown_enum_members", "type": "bool", "title": "Include unknown enum members", "description": "Return unknown members for properties of evolvable enum types.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Microsoft Defender XDR Alerts", "description": "Collect Alerts from Microsoft Defender XDR.", "enabled": true, "ingestion_method": "API" } ], "package": "m365_defender", "path": "alert" }, { "type": "logs", "dataset": "m365_defender.event", "title": "Collect Event logs from Microsoft Defender XDR.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Event Hub", "description": "Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "We recommend using a dedicated consumer group for the azure input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "The storage account key, this key will be used to authorize access to data in your storage account.", "multi": false, "required": true, "show_user": true }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type. DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "By default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Microsoft Defender XDR Advanced Hunting Events (Recommended)", "description": "Collect events from M365D Streaming API.", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "m365_defender", "path": "event" }, { "type": "logs", "dataset": "m365_defender.incident", "title": "Collect Incident logs from Microsoft Defender XDR", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "request_url", "type": "text", "title": "Request URL", "description": "URL of API endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://graph.microsoft.com" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the incidents from Microsoft Defender XDR. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Security Graph API V2. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Incident Security Graph API V2. The maximum supported batch size value is 50.", "multi": false, "required": true, "show_user": false, "default": 50 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-incident" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.incident fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Microsoft Defender XDR Incidents and Alerts (Recommended)", "description": "Collect Incidents from Microsoft Defender XDR.", "enabled": true, "ingestion_method": "API" } ], "package": "m365_defender", "path": "incident" }, { "type": "logs", "dataset": "m365_defender.vulnerability", "ilm_policy": "logs-m365_defender.vulnerability-default_policy", "title": "Collect Vulnerability logs from Microsoft Defender XDR.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the M365 Defender Vulnerability API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "4h" }, { "name": "sas_valid_hours", "type": "text", "title": "SAS Valid Hours", "description": "The number of hours that the Shared Access Signature (SAS) download URLs are valid for. Maximum is 6 hours. Supported unit for this parameter is 'h'.", "multi": false, "required": true, "show_user": false, "default": "1h" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field event.original.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-vulnerability" ] }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.vulnerability.* fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Defender XDR Vulnerabilities", "description": "Collect Microsoft Defender XDR Vulnerabilities logs.", "enabled": false, "ingestion_method": "API" } ], "package": "m365_defender", "path": "vulnerability" } ] }