Skip to content

Commit

Permalink
[Filebeat Module] Defender ATP - Adding dashboard (#20058)
Browse files Browse the repository at this point in the history
* adding dashboard to ATP, work in progress

* adding dashboard to ATP, removing a unused file, and fixing styling issues in the doc

* added description to dashboard and visualizations

(cherry picked from commit c306d45)
  • Loading branch information
P1llus authored and marc-gr committed Jul 28, 2020
1 parent 24d0fba commit 16d2433
Show file tree
Hide file tree
Showing 5 changed files with 1,300 additions and 33 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
54 changes: 38 additions & 16 deletions filebeat/docs/modules/microsoft.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ This file is generated! See scripts/docs_collector.py
[role="xpack"]

:modulename: microsoft
:has-dashboards: true

== Microsoft module

Expand All @@ -14,19 +15,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
- `defender_atp` fileset: Supports Microsoft Defender ATP
- `dhcp` fileset: Supports Microsoft DHCP logs

include::../include/gs-link.asciidoc[]

[float]
=== Compatibility
include::../include/what-happens.asciidoc[]

Currently this module supports Microsoft Defender ATP.
include::../include/gs-link.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: defender_atp

include::../include/config-option-intro.asciidoc[]

[float]
==== `defender_atp` fileset settings

beta[]

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:
Expand All @@ -39,12 +42,11 @@ After the application has been created, it should contain 3 values that you need

These values are:

Client ID
Client Secret
Tenant ID
- Client ID
- Client Secret
- Tenant ID

[float]
==== `defender_atp` fileset settings
Example config:

[source,yaml]
----
Expand All @@ -56,8 +58,6 @@ Tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
----

include::../include/var-paths.asciidoc[]

*`var.oauth2.client.id`*::

This is the client ID related to creating a new application on Azure.
Expand All @@ -76,7 +76,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
This is a list of Defender ATP fields that are mapped to ECS.

[options="header"]
|======================================================================|
|======================================================================
| Defender ATP Fields | ECS Fields |
| alertCreationTime | @timestamp |
| aadTenantId | cloud.account.id |
Expand All @@ -102,11 +102,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
| relatedUser.domainName | host.user.domain |
| title | message |
| severity | event.severity |
|======================================================================|
|======================================================================

== Microsoft module
:has-dashboards!:

experimental[]
[float]
=== Dashboards

This module comes with a sample dashboard for Defender ATP.

[role="screenshot"]
image::./images/filebeat-defender-atp-overview.png[]

The best way to view Defender ATP events and alert data is in the SIEM.

[role="screenshot"]
image::./images/siem-alerts-cs.jpg[]

[float]
For alerts, go to Detections -> External alerts.

[role="screenshot"]
image::./images/siem-events-cs.jpg[]

[float]
And for all other Defender ATP event types, go to Host -> Events.

:fileset_ex: dhcp

Expand All @@ -117,6 +137,8 @@ experimental[]

NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

include::../include/var-paths.asciidoc[]

*`var.input`*::

The input from which messages are read. One of `file`, `tcp` or `udp`.
Expand Down
54 changes: 38 additions & 16 deletions x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
[role="xpack"]

:modulename: microsoft
:has-dashboards: true

== Microsoft module

Expand All @@ -9,19 +10,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
- `defender_atp` fileset: Supports Microsoft Defender ATP
- `dhcp` fileset: Supports Microsoft DHCP logs

include::../include/gs-link.asciidoc[]

[float]
=== Compatibility
include::../include/what-happens.asciidoc[]

Currently this module supports Microsoft Defender ATP.
include::../include/gs-link.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: defender_atp

include::../include/config-option-intro.asciidoc[]

[float]
==== `defender_atp` fileset settings

beta[]

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:
Expand All @@ -34,12 +37,11 @@ After the application has been created, it should contain 3 values that you need

These values are:

Client ID
Client Secret
Tenant ID
- Client ID
- Client Secret
- Tenant ID

[float]
==== `defender_atp` fileset settings
Example config:

[source,yaml]
----
Expand All @@ -51,8 +53,6 @@ Tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
----

include::../include/var-paths.asciidoc[]

*`var.oauth2.client.id`*::

This is the client ID related to creating a new application on Azure.
Expand All @@ -71,7 +71,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
This is a list of Defender ATP fields that are mapped to ECS.

[options="header"]
|======================================================================|
|======================================================================
| Defender ATP Fields | ECS Fields |
| alertCreationTime | @timestamp |
| aadTenantId | cloud.account.id |
Expand All @@ -97,11 +97,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
| relatedUser.domainName | host.user.domain |
| title | message |
| severity | event.severity |
|======================================================================|
|======================================================================

== Microsoft module
:has-dashboards!:

experimental[]
[float]
=== Dashboards

This module comes with a sample dashboard for Defender ATP.

[role="screenshot"]
image::./images/filebeat-defender-atp-overview.png[]

The best way to view Defender ATP events and alert data is in the SIEM.

[role="screenshot"]
image::./images/siem-alerts-cs.jpg[]

[float]
For alerts, go to Detections -> External alerts.

[role="screenshot"]
image::./images/siem-events-cs.jpg[]

[float]
And for all other Defender ATP event types, go to Host -> Events.

:fileset_ex: dhcp

Expand All @@ -112,6 +132,8 @@ experimental[]

NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

include::../include/var-paths.asciidoc[]

*`var.input`*::

The input from which messages are read. One of `file`, `tcp` or `udp`.
Expand Down
Loading

0 comments on commit 16d2433

Please sign in to comment.