{ "name": "microsoft_defender_cloud", "title": "Microsoft Defender for Cloud", "version": "3.4.0", "release": "ga", "description": "Collect logs from Microsoft Defender for Cloud with Elastic Agent.", "type": "integration", "download": "/epr/microsoft_defender_cloud/microsoft_defender_cloud-3.4.0.zip", "path": "/package/microsoft_defender_cloud/3.4.0", "icons": [ { "src": "/img/microsoft-defender-cloud-logo.svg", "path": "/package/microsoft_defender_cloud/3.4.0/img/microsoft-defender-cloud-logo.svg", "title": "Microsoft Defender for Cloud logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.10 || ~9.1.10 || ~9.2.4 || ^9.3.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "cloudsecurity_cdr", "vulnerability_workflow", "misconfiguration_workflow" ], "signature_path": "/epr/microsoft_defender_cloud/microsoft_defender_cloud-3.4.0.zip.sig", "format_version": "3.3.2", "readme": "/package/microsoft_defender_cloud/3.4.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/microsoft-defender-cloud-dashboard-event.png", "path": "/package/microsoft_defender_cloud/3.4.0/img/microsoft-defender-cloud-dashboard-event.png", "title": "Microsoft Defender for Cloud Event Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/microsoft_defender_cloud/3.4.0/LICENSE.txt", "/package/microsoft_defender_cloud/3.4.0/changelog.yml", "/package/microsoft_defender_cloud/3.4.0/manifest.yml", "/package/microsoft_defender_cloud/3.4.0/validation.yml", "/package/microsoft_defender_cloud/3.4.0/docs/README.md", "/package/microsoft_defender_cloud/3.4.0/img/microsoft-defender-cloud-dashboard-event.png", "/package/microsoft_defender_cloud/3.4.0/img/microsoft-defender-cloud-logo.svg", "/package/microsoft_defender_cloud/3.4.0/kibana/tags.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/lifecycle.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/manifest.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/sample_event.json", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/manifest.yml", "/package/microsoft_defender_cloud/3.4.0/kibana/dashboard/microsoft_defender_cloud-97eaf040-0516-11ee-b4db-89b3a5f6df7f.json", "/package/microsoft_defender_cloud/3.4.0/kibana/search/microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508.json", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/base-fields.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/beats.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/ecs.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/fields.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/package.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/resource.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/result.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/rule.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/fields/vulnerability.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/fields/base-fields.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/fields/beats.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/fields/fields.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/transform.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/transform.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/agent/stream/cel.yml.hbs", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/elasticsearch/ilm/default_policy.json", "/package/microsoft_defender_cloud/3.4.0/data_stream/assessment/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/agent/stream/azure-eventhub.yml.hbs", "/package/microsoft_defender_cloud/3.4.0/data_stream/event/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/base-fields.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/beats.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/ecs.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/fields.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/resource.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/result.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/misconfiguration/fields/rule.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/base-fields.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/beats.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/ecs.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/fields.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/package.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/resource.yml", "/package/microsoft_defender_cloud/3.4.0/elasticsearch/transform/vulnerability/fields/vulnerability.yml" ], "policy_templates": [ { "name": "microsoft_defender_cloud", "title": "Microsoft Defender for Cloud Logs", "description": "Collect logs from Microsoft Defender for Cloud.", "inputs": [ { "type": "azure-eventhub", "title": "Collect logs from Azure Event Hub", "description": "Collect logs from Azure Event Hub." }, { "type": "cel", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login Server 'tenant-id and token endpoint added automatically'.", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "url", "type": "text", "title": "URL", "description": "URL of Azure Resource Manager provider API.", "multi": false, "required": true, "show_user": false, "default": "https://management.azure.com" }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "token_scopes", "type": "text", "title": "Token Scopes", "description": "Scopes for OAuth2 token.", "multi": true, "required": true, "show_user": false, "default": [ "https://management.azure.com/.default" ] }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Endpoint Params used for OAuth2 authentication as YAML. See [documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-httpjson#_auth_oauth2_endpoint_params_2) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Microsoft Defender Cloud logs via API", "description": "Collecting Defender Cloud logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_defender_cloud.assessment", "ilm_policy": "logs-microsoft_defender_cloud.assessment-default_policy", "title": "Collect Assessments from Microsoft Defender for Cloud", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "management_group_name", "type": "text", "title": "Management Group Name", "description": "The name of the management group. Provide either `Subscription ID` or `Management Group Name` as the scope for the request. If both are provided, then `Management Group Name` will take precedence.", "multi": false, "required": false, "show_user": true }, { "name": "subscription_id", "type": "text", "title": "Subscription ID", "description": "The unique identifier for the subscription. Provide either `Subscription ID` or `Management Group Name` as the scope for the request. If both are provided, then `Management Group Name` will take precedence.", "multi": false, "required": false, "show_user": true }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "resource_rate_limit_limit", "type": "text", "title": "Resource Rate Limit", "description": "The value of the response that specifies the maximum overall resource request rate. This controls the polling frequency.", "multi": false, "required": false, "show_user": false }, { "name": "resource_rate_limit_burst", "type": "integer", "title": "Resource Rate Limit Burst", "description": "The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.", "multi": false, "required": false, "show_user": false }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "120s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_defender_cloud-assessment" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_defender_cloud.assessment fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Defender for Cloud Assessment", "description": "Collect Assessments from Microsoft Defender for Cloud via CEL.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_defender_cloud", "path": "assessment" }, { "type": "logs", "dataset": "microsoft_defender_cloud.event", "title": "Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Azure Event Hub", "description": "Elastic recommends using one Azure Event Hub for each integration. Visit [Create an Azure Event Hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use Azure Event Hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "We recommend using a dedicated consumer group for the Azure Event Hub input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Authentication method to use for Event Hub and Storage Account. When set to **Connection String** or left blank: **Connection String** and **Storage Account Key** are required. When set to **Client Secret**: Microsoft Entra ID client secret authentication is used, requiring **Tenant ID**, **Client ID**, **Client Secret**, and **Event Hub Namespace**. Note: The same authentication type applies to both Event Hub and Storage Account for security consistency.", "multi": false, "required": true, "show_user": true, "default": "connection_string" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The storage account key used to authorize access to data in your storage account. Not used when **Authentication Type** is **Client Secret**; client secret authentication is used for storage instead.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "eventhub_namespace", "type": "text", "title": "Event Hub Namespace", "description": "(Required when **Authentication Type** is **Client Secret**) Fully qualified Event Hub namespace (e.g., namespace.servicebus.windows.net). Do not use the short namespace name; use the complete FQDN.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID tenant ID. This is the directory/tenant where your Microsoft Entra ID application is registered.", "multi": false, "required": false, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application (client) ID. The service principal must have 'Azure Event Hubs Data Receiver' role on the Event Hub and 'Storage Blob Data Contributor' role on the Storage Account.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application client secret. Generate this secret in your Microsoft Entra ID app registration.", "multi": false, "required": false, "show_user": true }, { "name": "authority_host", "type": "text", "title": "Authority Host", "description": "(Optional when **Authentication Type** is **Client Secret**) Microsoft Entra ID authority endpoint. Defaults to https://login.microsoftonline.com (Azure Public Cloud). Change for other Azure environments: Azure Government (https://login.microsoftonline.us), Azure China (https://login.chinacloudapi.cn), or Azure Germany (https://login.microsoftonline.de).", "multi": false, "required": false, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You must use a dedicated storage account container for each Azure log type. Do not reuse the same container name for more than one Azure log type. See [Container Names] (Naming and Referencing Containers, Blobs, and Metadata - Azure Storage) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "By default, we are using the Azure public environment. To override this, users can provide a specific resource manager endpoint in order to use a different Azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_defender_cloud-event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserve a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_defender_cloud.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Microsoft Defender for Cloud Event(Alert and Recommendation)", "description": "Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud via Azure Event Hub.", "enabled": true, "ingestion_method": "Azure Event Hub" } ], "package": "microsoft_defender_cloud", "path": "event" } ] }