{ "name": "m365_defender", "title": "Microsoft Defender XDR", "version": "5.13.0", "release": "ga", "description": "Collect logs from Microsoft Defender XDR with Elastic Agent.", "type": "integration", "download": "/epr/m365_defender/m365_defender-5.13.0.zip", "path": "/package/m365_defender/5.13.0", "icons": [ { "src": "/img/logo.svg", "path": "/package/m365_defender/5.13.0/img/logo.svg", "title": "M365 logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.10 || ~9.1.10 || ~9.2.4 || ^9.3.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr", "vulnerability_workflow", "cloudsecurity_cdr" ], "signature_path": "/epr/m365_defender/m365_defender-5.13.0.zip.sig", "format_version": "3.4.0", "readme": "/package/m365_defender/5.13.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/m365_defender-alert-api.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-alert-api.png", "title": "Microsoft Defender XDR Alert Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-incident.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-incident.png", "title": "Microsoft Defender XDR (Incidents) Incidents Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-alert-eventhub.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-alert-eventhub.png", "title": "Microsoft Defender XDR (Events) Alerts Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-device.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-device.png", "title": "Microsoft Defender XDR (Events) Device Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-email.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-email.png", "title": "Microsoft Defender XDR (Events) Email Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-app_and_identity.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-app_and_identity.png", "title": "Microsoft Defender XDR (Events) App & Identity Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/m365_defender-vulnerability.png", "path": "/package/m365_defender/5.13.0/img/m365_defender-vulnerability.png", "title": "Microsoft Defender XDR Vulnerability", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/m365_defender/5.13.0/LICENSE.txt", "/package/m365_defender/5.13.0/changelog.yml", "/package/m365_defender/5.13.0/manifest.yml", "/package/m365_defender/5.13.0/validation.yml", "/package/m365_defender/5.13.0/docs/README.md", "/package/m365_defender/5.13.0/img/logo.svg", "/package/m365_defender/5.13.0/img/m365_defender-alert-api.png", "/package/m365_defender/5.13.0/img/m365_defender-alert-eventhub.png", "/package/m365_defender/5.13.0/img/m365_defender-app_and_identity.png", "/package/m365_defender/5.13.0/img/m365_defender-device.png", "/package/m365_defender/5.13.0/img/m365_defender-email.png", "/package/m365_defender/5.13.0/img/m365_defender-incident.png", "/package/m365_defender/5.13.0/img/m365_defender-vulnerability.png", "/package/m365_defender/5.13.0/kibana/tags.yml", "/package/m365_defender/5.13.0/data_stream/alert/manifest.yml", "/package/m365_defender/5.13.0/data_stream/alert/sample_event.json", "/package/m365_defender/5.13.0/data_stream/event/manifest.yml", "/package/m365_defender/5.13.0/data_stream/incident/manifest.yml", "/package/m365_defender/5.13.0/data_stream/incident/sample_event.json", "/package/m365_defender/5.13.0/data_stream/vulnerability/lifecycle.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/manifest.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/sample_event.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.13.0/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json", "/package/m365_defender/5.13.0/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json", "/package/m365_defender/5.13.0/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.13.0/kibana/search/m365_defender-c35e286e-43e6-46f4-a449-ab8a1be7bcd9.json", "/package/m365_defender/5.13.0/kibana/search/m365_defender-e16d5fb3-36aa-4ee3-bb47-18d44d56c3b2.json", "/package/m365_defender/5.13.0/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json", "/package/m365_defender/5.13.0/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json", "/package/m365_defender/5.13.0/data_stream/alert/fields/base-fields.yml", "/package/m365_defender/5.13.0/data_stream/alert/fields/beats.yml", "/package/m365_defender/5.13.0/data_stream/alert/fields/fields.yml", "/package/m365_defender/5.13.0/data_stream/event/fields/agent.yml", "/package/m365_defender/5.13.0/data_stream/event/fields/base-fields.yml", "/package/m365_defender/5.13.0/data_stream/event/fields/ecs-extended.yml", "/package/m365_defender/5.13.0/data_stream/event/fields/ecs.yml", "/package/m365_defender/5.13.0/data_stream/event/fields/fields.yml", "/package/m365_defender/5.13.0/data_stream/incident/fields/agent.yml", "/package/m365_defender/5.13.0/data_stream/incident/fields/base-fields.yml", "/package/m365_defender/5.13.0/data_stream/incident/fields/fields.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/base-fields.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/beats.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/ecs.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/fields.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/package.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/resource.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/fields/vulnerability.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml", "/package/m365_defender/5.13.0/data_stream/alert/agent/stream/httpjson.yml.hbs", "/package/m365_defender/5.13.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.13.0/data_stream/event/agent/stream/azure-eventhub.yml.hbs", "/package/m365_defender/5.13.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.13.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline_alert.yml", "/package/m365_defender/5.13.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline_app_and_identity.yml", "/package/m365_defender/5.13.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml", "/package/m365_defender/5.13.0/data_stream/event/elasticsearch/ingest_pipeline/pipeline_email.yml", "/package/m365_defender/5.13.0/data_stream/incident/agent/stream/httpjson.yml.hbs", "/package/m365_defender/5.13.0/data_stream/incident/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.13.0/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/m365_defender/5.13.0/data_stream/vulnerability/elasticsearch/ilm/default_policy.json", "/package/m365_defender/5.13.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/package.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/resource.yml", "/package/m365_defender/5.13.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml" ], "policy_templates": [ { "name": "m365_defender", "title": "Microsoft Defender XDR Logs", "description": "Collect logs from Microsoft Defender XDR.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "login_url", "type": "text", "title": "Oauth2 Token URL", "description": "The Base URL endpoint that will be used to generate the tokens during the oauth2 flow. If not provided, above `Tenant ID` will be used for oauth2 token generation.", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "token_endpoint", "type": "text", "title": "OAuth Token endpoint", "description": "Microsoft supports multiple Oauth2 URL endpoints, the default is oauth2/v2.0/token, but can also be oauth2/token", "multi": false, "required": true, "show_user": false, "default": "oauth2/v2.0/token" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. Refer to [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for Azure AD application.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for Azure AD application.", "multi": false, "required": true, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "Tenant ID of the Azure.", "multi": false, "required": true, "show_user": true }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Set of values that will be sent on each resource to the OAuth Server URL. Each param key can have multiple values and they are appended to the URL as query parameters.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. Refer to [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect alerts and incidents using Microsoft Graph Security API", "description": "Collect alerts and incidents from Microsoft Defender XDR using Microsoft Graph Security API" }, { "type": "azure-eventhub", "title": "Collect events using Azure Event Hub", "description": "Collect events from Microsoft Defender XDR using Azure Event Hub" }, { "type": "cel", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "By default, the URL is set to `https://api.security.microsoft.com`. For better performance, use a server closer to your geolocation. Refer to [documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list#versioning) for details.", "multi": false, "required": true, "show_user": false, "default": "https://api.security.microsoft.com" }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for Microsoft Entra ID application.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for Microsoft Entra ID application.", "multi": false, "required": true, "show_user": true }, { "name": "azure_tenant_id", "type": "text", "title": "Tenant ID", "description": "Tenant ID of the Azure.", "multi": false, "required": true, "show_user": true }, { "name": "token_url", "type": "text", "title": "Oauth2 Token URL", "description": "The Base URL endpoint that will be used to generate the tokens during the oauth2 flow. If not provided, above `Tenant ID` will be used for oauth2 token generation.", "multi": false, "required": false, "show_user": true, "default": "https://login.microsoftonline.com" }, { "name": "token_scopes", "type": "text", "title": "Token Scopes", "description": "Defines the level of access granted to the API. This scope is required to authenticate and authorize API requests in Microsoft Defender XDR Vulnerability Management.", "multi": true, "required": true, "show_user": false, "default": [ "https://securitycenter.onmicrosoft.com/windowsatpservice/.default" ] }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Set of values that will be sent on each resource to the OAuth Server URL. Each param key can have multiple values and they are appended to the URL as query parameters.", "multi": false, "required": false, "show_user": false, "default": "#grant_type: client_credentials\n#refresh_token:\n# - refresh_token_1\n# - refresh_token_2\n" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. Refer to [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect vulnerabilities using Microsoft Defender for Endpoint API", "description": "Collect vulnerabilities from Microsoft Defender XDR using Microsoft Defender for Endpoint API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "m365_defender.alert", "title": "Collect Alert logs from Microsoft Defender XDR", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "request_url", "type": "text", "title": "Request URL", "description": "URL of API endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://graph.microsoft.com" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the alerts from Microsoft Defender XDR. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Security Graph API V2. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Alert Security Graph API V2. The maximum supported batch size value is 2000.", "multi": false, "required": true, "show_user": false, "default": 2000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "include_unknown_enum_members", "type": "bool", "title": "Include unknown enum members", "description": "Return unknown members for properties of evolvable enum types.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Alerts", "description": "Collect Alerts from Microsoft Defender XDR.", "enabled": false, "ingestion_method": "API" } ], "package": "m365_defender", "path": "alert" }, { "type": "logs", "dataset": "m365_defender.event", "title": "Collect Event logs from Microsoft Defender XDR.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Event Hub", "description": "Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "We recommend using a dedicated consumer group for the azure input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Authentication method to use for Event Hub and Storage Account. When set to **Connection String** or left blank: **Connection String** and **Storage Account Key** are required. When set to **Client Secret**: Microsoft Entra ID client secret authentication is used, requiring **Tenant ID**, **Client ID**, **Client Secret**, and **Event Hub Namespace**. Note: The same authentication type applies to both Event Hub and Storage Account for security consistency.", "multi": false, "required": true, "show_user": true, "default": "connection_string" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The storage account key used to authorize access to data in your storage account. Not used when **Authentication Type** is **Client Secret**; client secret authentication is used for storage instead.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "eventhub_namespace", "type": "text", "title": "Event Hub Namespace", "description": "(Required when **Authentication Type** is **Client Secret**) Fully qualified Event Hub namespace (e.g., namespace.servicebus.windows.net). Do not use the short namespace name; use the complete FQDN.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID tenant ID. This is the directory/tenant where your Microsoft Entra ID application is registered.", "multi": false, "required": false, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application (client) ID. The service principal must have 'Azure Event Hubs Data Receiver' role on the Event Hub and 'Storage Blob Data Contributor' role on the Storage Account.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application client secret. Generate this secret in your Microsoft Entra ID app registration.", "multi": false, "required": false, "show_user": true }, { "name": "authority_host", "type": "text", "title": "Authority Host", "description": "(Optional when **Authentication Type** is **Client Secret**) Microsoft Entra ID authority endpoint. Defaults to https://login.microsoftonline.com (Azure Public Cloud). Change for other Azure environments: Azure Government (https://login.microsoftonline.us), Azure China (https://login.chinacloudapi.cn), or Azure Germany (https://login.microsoftonline.de).", "multi": false, "required": false, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type. DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "By default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Events", "description": "Collect events from Microsoft Defender XDR Streaming API.", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "m365_defender", "path": "event" }, { "type": "logs", "dataset": "m365_defender.incident", "title": "Collect Incident logs from Microsoft Defender XDR", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "request_url", "type": "text", "title": "Request URL", "description": "URL of API endpoint.", "multi": false, "required": true, "show_user": false, "default": "https://graph.microsoft.com" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the incidents from Microsoft Defender XDR. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Security Graph API V2. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Incident Security Graph API V2. The maximum supported batch size value is 50.", "multi": false, "required": true, "show_user": false, "default": 50 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-incident" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "include_alerts", "type": "bool", "title": "Include Alerts", "description": "Include associated alerts with the incident. When enabled, the alerts are split so that each generated event represents a single alert from the incident. If disabled, enable the Alerts (alerts_v2) data stream to ensure alert data is still collected.", "multi": false, "required": true, "show_user": true, "default": true }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.incident fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Incidents", "description": "Collect Incidents from Microsoft Defender XDR. Recommended: Ingests correlated incidents including all associated alerts and evidence.", "enabled": true, "ingestion_method": "API" } ], "package": "m365_defender", "path": "incident" }, { "type": "logs", "dataset": "m365_defender.vulnerability", "ilm_policy": "logs-m365_defender.vulnerability-default_policy", "title": "Collect Vulnerability logs from Microsoft Defender XDR.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the M365 Defender Vulnerability API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "4h" }, { "name": "sas_valid_hours", "type": "text", "title": "SAS Valid Hours", "description": "The number of hours that the Shared Access Signature (SAS) download URLs are valid for. Maximum is 6 hours. Supported unit for this parameter is 'h'.", "multi": false, "required": true, "show_user": false, "default": "1h" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field event.original.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "m365_defender-vulnerability" ] }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve m365_defender.vulnerability.* fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "max_retries", "type": "text", "title": "Max Retries", "description": "Number of retry attempts for failed download requests. Set to 0 to disable retries.", "multi": false, "required": false, "show_user": false, "default": "3" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerabilities", "description": "Collect Microsoft Defender XDR Vulnerabilities logs.", "enabled": false, "ingestion_method": "API" } ], "package": "m365_defender", "path": "vulnerability" } ] }