Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #20058 to 7.9: [Filebeat Module] Defender ATP - Adding dashboard #20093

Merged
merged 1 commit into from
Jul 28, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
54 changes: 38 additions & 16 deletions filebeat/docs/modules/microsoft.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ This file is generated! See scripts/docs_collector.py
[role="xpack"]

:modulename: microsoft
:has-dashboards: true

== Microsoft module

Expand All @@ -14,19 +15,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
- `defender_atp` fileset: Supports Microsoft Defender ATP
- `dhcp` fileset: Supports Microsoft DHCP logs

include::../include/gs-link.asciidoc[]

[float]
=== Compatibility
include::../include/what-happens.asciidoc[]

Currently this module supports Microsoft Defender ATP.
include::../include/gs-link.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: defender_atp

include::../include/config-option-intro.asciidoc[]

[float]
==== `defender_atp` fileset settings

beta[]

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:
Expand All @@ -39,12 +42,11 @@ After the application has been created, it should contain 3 values that you need

These values are:

Client ID
Client Secret
Tenant ID
- Client ID
- Client Secret
- Tenant ID

[float]
==== `defender_atp` fileset settings
Example config:

[source,yaml]
----
Expand All @@ -56,8 +58,6 @@ Tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
----

include::../include/var-paths.asciidoc[]

*`var.oauth2.client.id`*::

This is the client ID related to creating a new application on Azure.
Expand All @@ -76,7 +76,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
This is a list of Defender ATP fields that are mapped to ECS.

[options="header"]
|======================================================================|
|======================================================================
| Defender ATP Fields | ECS Fields |
| alertCreationTime | @timestamp |
| aadTenantId | cloud.account.id |
Expand All @@ -102,11 +102,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
| relatedUser.domainName | host.user.domain |
| title | message |
| severity | event.severity |
|======================================================================|
|======================================================================

== Microsoft module
:has-dashboards!:

experimental[]
[float]
=== Dashboards

This module comes with a sample dashboard for Defender ATP.

[role="screenshot"]
image::./images/filebeat-defender-atp-overview.png[]

The best way to view Defender ATP events and alert data is in the SIEM.

[role="screenshot"]
image::./images/siem-alerts-cs.jpg[]

[float]
For alerts, go to Detections -> External alerts.

[role="screenshot"]
image::./images/siem-events-cs.jpg[]

[float]
And for all other Defender ATP event types, go to Host -> Events.

:fileset_ex: dhcp

Expand All @@ -117,6 +137,8 @@ experimental[]

NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

include::../include/var-paths.asciidoc[]

*`var.input`*::

The input from which messages are read. One of `file`, `tcp` or `udp`.
Expand Down
54 changes: 38 additions & 16 deletions x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
[role="xpack"]

:modulename: microsoft
:has-dashboards: true

== Microsoft module

Expand All @@ -9,19 +10,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
- `defender_atp` fileset: Supports Microsoft Defender ATP
- `dhcp` fileset: Supports Microsoft DHCP logs

include::../include/gs-link.asciidoc[]

[float]
=== Compatibility
include::../include/what-happens.asciidoc[]

Currently this module supports Microsoft Defender ATP.
include::../include/gs-link.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: defender_atp

include::../include/config-option-intro.asciidoc[]

[float]
==== `defender_atp` fileset settings

beta[]

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:
Expand All @@ -34,12 +37,11 @@ After the application has been created, it should contain 3 values that you need

These values are:

Client ID
Client Secret
Tenant ID
- Client ID
- Client Secret
- Tenant ID

[float]
==== `defender_atp` fileset settings
Example config:

[source,yaml]
----
Expand All @@ -51,8 +53,6 @@ Tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
----

include::../include/var-paths.asciidoc[]

*`var.oauth2.client.id`*::

This is the client ID related to creating a new application on Azure.
Expand All @@ -71,7 +71,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
This is a list of Defender ATP fields that are mapped to ECS.

[options="header"]
|======================================================================|
|======================================================================
| Defender ATP Fields | ECS Fields |
| alertCreationTime | @timestamp |
| aadTenantId | cloud.account.id |
Expand All @@ -97,11 +97,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
| relatedUser.domainName | host.user.domain |
| title | message |
| severity | event.severity |
|======================================================================|
|======================================================================

== Microsoft module
:has-dashboards!:

experimental[]
[float]
=== Dashboards

This module comes with a sample dashboard for Defender ATP.

[role="screenshot"]
image::./images/filebeat-defender-atp-overview.png[]

The best way to view Defender ATP events and alert data is in the SIEM.

[role="screenshot"]
image::./images/siem-alerts-cs.jpg[]

[float]
For alerts, go to Detections -> External alerts.

[role="screenshot"]
image::./images/siem-events-cs.jpg[]

[float]
And for all other Defender ATP event types, go to Host -> Events.

:fileset_ex: dhcp

Expand All @@ -112,6 +132,8 @@ experimental[]

NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

include::../include/var-paths.asciidoc[]

*`var.input`*::

The input from which messages are read. One of `file`, `tcp` or `udp`.
Expand Down
Loading