{ "name": "microsoft_defender_endpoint", "title": "Microsoft Defender for Endpoint", "version": "4.6.0", "release": "ga", "description": "Collect logs from Microsoft Defender for Endpoint with Elastic Agent.", "type": "integration", "download": "/epr/microsoft_defender_endpoint/microsoft_defender_endpoint-4.6.0.zip", "path": "/package/microsoft_defender_endpoint/4.6.0", "icons": [ { "src": "/img/logo.svg", "path": "/package/microsoft_defender_endpoint/4.6.0/img/logo.svg", "title": "Microsoft Defender for Endpoint logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.3 || ^9.1.2" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "edr_xdr", "siem", "vulnerability_workflow", "cloudsecurity_cdr" ], "signature_path": "/epr/microsoft_defender_endpoint/microsoft_defender_endpoint-4.6.0.zip.sig", "format_version": "3.4.0", "readme": "/package/microsoft_defender_endpoint/4.6.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/filebeat-defender-atp-overview.png", "path": "/package/microsoft_defender_endpoint/4.6.0/img/filebeat-defender-atp-overview.png", "title": "Defender Endpoint overview", "size": "2551x1315", "type": "image/png" }, { "src": "/img/siem-alerts-cs.jpg", "path": "/package/microsoft_defender_endpoint/4.6.0/img/siem-alerts-cs.jpg", "title": "SIEM alerts CS", "size": "3360x1776", "type": "image/jpg" }, { "src": "/img/siem-events-cs.jpg", "path": "/package/microsoft_defender_endpoint/4.6.0/img/siem-events-cs.jpg", "title": "SIEM events CS", "size": "3360x1776", "type": "image/jpg" }, { "src": "/img/microsoft_defender_endpoint-machine_overview.png", "path": "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-machine_overview.png", "title": "Machine Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/microsoft_defender_endpoint-machine_action_overview.png", "path": "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-machine_action_overview.png", "title": "Machine Action Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/microsoft_defender_endpoint-vulnerability_overview.png", "path": "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-vulnerability_overview.png", "title": "Vulnerability Overview Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/microsoft_defender_endpoint/4.6.0/LICENSE.txt", "/package/microsoft_defender_endpoint/4.6.0/changelog.yml", "/package/microsoft_defender_endpoint/4.6.0/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/validation.yml", "/package/microsoft_defender_endpoint/4.6.0/docs/README.md", "/package/microsoft_defender_endpoint/4.6.0/img/filebeat-defender-atp-overview.png", "/package/microsoft_defender_endpoint/4.6.0/img/logo.svg", "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-machine_action_overview.png", "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-machine_overview.png", "/package/microsoft_defender_endpoint/4.6.0/img/microsoft_defender_endpoint-vulnerability_overview.png", "/package/microsoft_defender_endpoint/4.6.0/img/siem-alerts-cs.jpg", "/package/microsoft_defender_endpoint/4.6.0/img/siem-events-cs.jpg", "/package/microsoft_defender_endpoint/4.6.0/kibana/tags.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/sample_event.json", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/sample_event.json", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/sample_event.json", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/lifecycle.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/sample_event.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/search/microsoft_defender_endpoint-89e2c263-f9c2-4f34-85d2-86b1d1b9106b.json", "/package/microsoft_defender_endpoint/4.6.0/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/fields/agent.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/fields/beats.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/fields/beats.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/fields/is-transform-source-true.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/beats.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/ecs.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/package.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/resource.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/fields/vulnerability.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/manifest.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/transform.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/transform.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/agent/stream/httpjson.yml.hbs", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/agent/stream/log.yml.hbs", "/package/microsoft_defender_endpoint/4.6.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/agent/stream/cel.yml.hbs", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/agent/stream/cel.yml.hbs", "/package/microsoft_defender_endpoint/4.6.0/data_stream/machine_action/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/elasticsearch/ilm/default_policy.json", "/package/microsoft_defender_endpoint/4.6.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/fields/beats.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_action/fields/is-transform-source-false.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/base-fields.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/beats.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/ecs-overridden.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/fields.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/package.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/resource.yml", "/package/microsoft_defender_endpoint/4.6.0/elasticsearch/transform/latest_cdr_vuln/fields/vulnerability.yml" ], "policy_templates": [ { "name": "microsoft_defender_endpoint", "title": "Microsoft Defender for Endpoint", "description": "Collect logs from Microsoft Defender for Endpoint", "inputs": [ { "type": "httpjson", "title": "Collect Microsoft Defender for Endpoint logs via API", "description": "Collecting Defender for Endpoint logs via API" }, { "type": "logfile", "title": "Collect Microsoft Defender for Endpoint logs via file", "description": "Collecting Defender for Endpoint logs via file" }, { "type": "cel", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login Server 'tenant-id and token endpoint added automatically'.", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "url", "type": "text", "title": "URL", "description": "URL of azure portal.", "multi": false, "required": true, "show_user": false, "default": "https://api.security.microsoft.com" }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "token_scopes", "type": "text", "title": "Token Scopes", "description": "Scopes for OAuth2 token.", "multi": true, "required": true, "show_user": false, "default": [ "https://securitycenter.onmicrosoft.com/windowsatpservice/.default" ] }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Set of values that will be sent on each resource to the OAuth Server URL. Each param key can have multiple values and they are appended to the URL as query parameters.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Microsoft Defender for Endpoint logs via API", "description": "Collecting Defender for Endpoint logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_defender_endpoint.log", "title": "Microsoft Defender for Endpoint logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the logs from Microsoft Defender Endpoint API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "interval", "type": "text", "title": "Interval", "description": "The interval between requests to the HTTP API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "scopes", "type": "text", "title": "Oauth2 Scopes", "description": "One or more Oauth2 scopes required to authenticate with the Microsoft Security Center API. An example scope could be 'https://api.securitycenter.windows.com/.defaults'\"", "multi": true, "required": false, "show_user": false }, { "name": "azure_resource", "type": "text", "title": "Azure Resource", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false, "default": "https://api.securitycenter.windows.com/" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login server 'tenant-id/oauth2/token added automatically'", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com/" }, { "name": "token_url", "type": "text", "title": "OAuth Token endpoint", "description": "Microsoft supports multiple Oauth2 URL endpoints, the default is oauth2/token, but can also be oauth2/v2.0/token", "multi": false, "required": true, "show_user": false, "default": "oauth2/token" }, { "name": "oauth_endpoint_params", "type": "yaml", "title": "OAuth2 Endpoint Params", "description": "Endpoint Params used for OAuth2 authentication as YAML. See [documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-httpjson#_auth_oauth2_endpoint_params_2) for details.", "multi": false, "required": false, "show_user": false }, { "name": "request_url", "type": "text", "title": "Security Center URL", "multi": false, "required": true, "show_user": false, "default": "https://api.securitycenter.windows.com/api/alerts" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "microsoft-defender-endpoint", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Microsoft Defender for Endpoint logs", "description": "Collect Microsoft Defender for Endpoint logs from API", "enabled": true, "ingestion_method": "API" }, { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "microsoft-defender-endpoint", "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "Microsoft Defender for Endpoint logs", "description": "Collect Microsoft Defender for Endpoint logs from a file", "enabled": false, "ingestion_method": "File" } ], "package": "microsoft_defender_endpoint", "path": "log" }, { "type": "logs", "dataset": "microsoft_defender_endpoint.machine", "title": "Collect Microsoft Defender for Endpoint machine logs from API", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Defender for Endpoint API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Microsoft Defender for Endpoint API. The maximum supported page size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_defender_endpoint-machine" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_defender_endpoint.machine fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Defender for Endpoint machine logs", "description": "Collect Microsoft Defender for Endpoint machine logs from API.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_defender_endpoint", "path": "machine" }, { "type": "logs", "dataset": "microsoft_defender_endpoint.machine_action", "title": "Collect Microsoft Defender for Endpoint machine action logs from API", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the machine action logs from Microsoft Defender for Endpoint API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Defender for Endpoint API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Microsoft Defender for Endpoint API. The maximum supported page size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_defender_endpoint-machine_action" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_defender_endpoint.machine_action fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Defender for Endpoint machine action logs", "description": "Collect Microsoft Defender for Endpoint machine action logs from API.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_defender_endpoint", "path": "machine_action" }, { "type": "logs", "dataset": "microsoft_defender_endpoint.vulnerability", "ilm_policy": "logs-microsoft_defender_endpoint.vulnerability-default_policy", "title": "Collect Microsoft Defender for Endpoint vulnerability and affected machine logs from API", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Defender Endpoint Vulnerability API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "4h" }, { "name": "sas_valid_hours", "type": "text", "title": "SAS Valid Hours", "description": "The number of hours that the Shared Access Signature (SAS) download URLs are valid for. Maximum is 6 hours. Supported unit for this parameter is 'h'.", "multi": false, "required": true, "show_user": false, "default": "1h" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field event.original.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_defender_endpoint-vulnerability" ] }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_defender_endpoint.vulnerability.* fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "max_retries", "type": "text", "title": "Max Retries", "description": "Number of retry attempts for failed download requests. Set to 0 to disable retries.", "multi": false, "required": false, "show_user": false, "default": "3" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Defender Endpoint Vulnerabilities", "description": "Collect Microsoft Defender for Endpoint vulnerability and affected machine logs from API.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_defender_endpoint", "path": "vulnerability" } ] }