diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6f8a1457f8a..0bba3b1f469 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -254,6 +254,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix IPtables Pipeline and Ubiquiti dashboard. {issue}24878[24878] {pull}24928[24928] - Fix gcp module field names to use gcp instead of googlecloud. {pull}25038[25038] - Strip Azure Eventhub connection string in debug logs. {pulll}25066[25066] +- Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829] *Heartbeat* diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index f446d8a5bb6..f82d99f3c27 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -54,7 +54,9 @@ Example config: enabled: true var.oauth2.client.id: "123abc-879546asd-349587-ad64508" var.oauth2.client.secret: "980453~-Sg99gedf" - var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token" + var.oauth2.scopes: + - "https://api.security.microsoft.com/.default" ---- *`var.oauth2.client.id`*:: @@ -69,6 +71,10 @@ The secret related to the client ID. A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. +*`var.oauth2.scopes`*:: + +A list of included scopes, should use .default unless different is specified. + [float] ==== 365 Defender ECS fields diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 7d35455bbba..2371dc84d7d 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1510,7 +1510,11 @@ filebeat.modules: #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index ee06eea9228..a168b621ba5 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -25,7 +25,11 @@ #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 947cf39f1bb..dba51821e53 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -49,7 +49,9 @@ Example config: enabled: true var.oauth2.client.id: "123abc-879546asd-349587-ad64508" var.oauth2.client.secret: "980453~-Sg99gedf" - var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token" + var.oauth2.scopes: + - "https://api.security.microsoft.com/.default" ---- *`var.oauth2.client.id`*:: @@ -64,6 +66,10 @@ The secret related to the client ID. A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. +*`var.oauth2.scopes`*:: + +A list of included scopes, should use .default unless different is specified. + [float] ==== 365 Defender ECS fields diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml index e0f804b20bc..4f92d93af7b 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -6,8 +6,6 @@ config_version: "2" interval: {{ .interval }} auth.oauth2: {{ .oauth2 | tojson }} -auth.oauth2.provider: azure -auth.oauth2.azure.resource: https://api.securitycenter.windows.com/ {{ if .proxy_url }} request.proxy_url: {{ .proxy_url }} diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index b0a1b10c6d5..f73c209386d 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -28,7 +28,11 @@ #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true