elastic · marc-gr · Oct 6, 2020 · Sep 24, 2020 · Sep 28, 2020 · Oct 1, 2020
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc
@@ -12,7 +12,8 @@ This file is generated! See scripts/docs_collector.py
 
 This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets:
 
-- `defender_atp` fileset: Supports Microsoft Defender ATP
+- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP)
+- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection)
 - `dhcp` fileset: Supports Microsoft DHCP logs
 
 include::../include/what-happens.asciidoc[]
@@ -25,6 +26,85 @@ include::../include/configuring-intro.asciidoc[]
 
 include::../include/config-option-intro.asciidoc[]
 
+[float]
+==== `m365_defender` fileset settings
+
+beta[]
+
+To configure access for filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return
-To configure access for filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return
+To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return.
-To configure access for filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return
+To configure access for Filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return.
+Oauth tokens with access to the Microsoft 365 Defender API
+
+The procedure to create an application is found on the below link:
+
+https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application]
+
+When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.
+
+After the application has been created, it should contain 3 values that you need to apply to the module configuration.
+
+These values are:
+
+- Client ID
+- Client Secret
+- Tenant ID
+
+Example config:
+
+[source,yaml]
+----
+- module: microsoft
+  m365_defender:
+    enabled: true
+    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
+    var.oauth2.client.secret: "980453~-Sg99gedf"
+    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
+----
+
+*`var.oauth2.client.id`*::
+
+This is the client ID related to creating a new application on Azure.
+
+*`var.oauth2.client.secret`*::
+
+The secret related to the client ID.
+
+*`var.oauth2.token_url`*::
+
+A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
+
+[float]
+==== 365 Defender ECS fields
+
+This is a list of 365 Defender fields that are mapped to ECS.
+
+[options="header"]
+|======================================================================
+| 365 Defender Fields                 | ECS Fields                     |
+| lastUpdateTime                      | @timestamp                     |
+| severity                            | event.severity                 |
+| createdTime                         | event.created                  |
+| alerts.category                     | threat.technique.name          |
+| alerts.description                  | rule.description               |
+| alerts.serviceSource                | event.provider                 |
+| alerts.alertId                      | event.id                       |
+| alerts.firstActivity                | event.start                    |
+| alerts.lastActivity                 | event.end                      |
+| alerts.title                        | message                        |
+| entities.processId                  | process.pid                    |
+| entities.processCommandLine         | process.command_line           |
+| entities.processCreationTime        | process.start                  |
+| entities.parentProcessId            | process.parent.pid             |
+| entities.parentProcessCreationTime  | process.parent.start           |
+| entities.sha1                       | file.hash.sha1                 |
+| entities.sha256                     | file.hash.sha256               |
+| entities.url                        | url.full                       |
+| entities.filePath                   | file.path                      |
+| entities.fileName                   | file.name                      |
+| entities.userPrincipalName          | host.user.name                 |
+| entities.domainName                 | host.user.domain               |
+| entities.aadUserId                  | host.user.id                   |
+|======================================================================
+
 [float]
 ==== `defender_atp` fileset settings
 
@@ -114,7 +194,7 @@ This module comes with a sample dashboard for Defender ATP.
 [role="screenshot"]
 image::./images/filebeat-defender-atp-overview.png[]
 
-The best way to view Defender ATP events and alert data is in the SIEM. 
+The best way to view Defender ATP events and alert data is in the SIEM.
 
 [role="screenshot"]
 image::./images/siem-alerts-cs.jpg[]

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -1105,7 +1105,20 @@ filebeat.modules:
 
     # Oauth Client Secret
     #var.oauth2.client.secret: ""
-
+
+    # Oauth Token URL, should include the tenant ID
+    #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
+  m365_defender:
+    enabled: true
+    # How often the API should be polled
+    #var.interval: 5m
+
+    # Oauth Client ID
+    #var.oauth2.client.id: ""
+
+    # Oauth Client Secret
+    #var.oauth2.client.secret: ""
+
     # Oauth Token URL, should include the tenant ID
     #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
   dhcp:

diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml
@@ -10,7 +10,20 @@
 
     # Oauth Client Secret
     #var.oauth2.client.secret: ""
-
+
+    # Oauth Token URL, should include the tenant ID
+    #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
+  m365_defender:
+    enabled: true
+    # How often the API should be polled
+    #var.interval: 5m
+
+    # Oauth Client ID
+    #var.oauth2.client.id: ""
+
+    # Oauth Client Secret
+    #var.oauth2.client.secret: ""
+
     # Oauth Token URL, should include the tenant ID
     #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
   dhcp:

diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
@@ -7,7 +7,8 @@
 
 This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets:
 
-- `defender_atp` fileset: Supports Microsoft Defender ATP
+- `defender_atp` fileset: Supports Microsoft Defender for Endpoint (Microsoft Defender ATP)
+- `m365_defender` fileset: Supports Microsoft 365 Defender (Microsoft Threat Protection)
 - `dhcp` fileset: Supports Microsoft DHCP logs
 
 include::../include/what-happens.asciidoc[]
@@ -20,6 +21,85 @@ include::../include/configuring-intro.asciidoc[]
 
 include::../include/config-option-intro.asciidoc[]
 
+[float]
+==== `m365_defender` fileset settings
+
+beta[]
+
+To configure access for filebeat to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return
+Oauth tokens with access to the Microsoft 365 Defender API
+
+The procedure to create an application is found on the below link:
+
+https://docs.microsoft.com/en-us/microsoft-365/security/mtp/api-create-app-web?view=o365-worldwide#create-an-app[Create a new Azure Application]
+
+When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.
+
+After the application has been created, it should contain 3 values that you need to apply to the module configuration.
+
+These values are:
+
+- Client ID
+- Client Secret
+- Tenant ID
+
+Example config:
+
+[source,yaml]
+----
+- module: microsoft
+  m365_defender:
+    enabled: true
+    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
+    var.oauth2.client.secret: "980453~-Sg99gedf"
+    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
+----
+
+*`var.oauth2.client.id`*::
+
+This is the client ID related to creating a new application on Azure.
+
+*`var.oauth2.client.secret`*::
+
+The secret related to the client ID.
+
+*`var.oauth2.token_url`*::
+
+A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
+
+[float]
+==== 365 Defender ECS fields
+
+This is a list of 365 Defender fields that are mapped to ECS.
+
+[options="header"]
+|======================================================================
+| 365 Defender Fields                 | ECS Fields                     |
+| lastUpdateTime                      | @timestamp                     |
+| severity                            | event.severity                 |
+| createdTime                         | event.created                  |
+| alerts.category                     | threat.technique.name          |
+| alerts.description                  | rule.description               |
+| alerts.serviceSource                | event.provider                 |
+| alerts.alertId                      | event.id                       |
+| alerts.firstActivity                | event.start                    |
+| alerts.lastActivity                 | event.end                      |
+| alerts.title                        | message                        |
+| entities.processId                  | process.pid                    |
+| entities.processCommandLine         | process.command_line           |
+| entities.processCreationTime        | process.start                  |
+| entities.parentProcessId            | process.parent.pid             |
+| entities.parentProcessCreationTime  | process.parent.start           |
+| entities.sha1                       | file.hash.sha1                 |
+| entities.sha256                     | file.hash.sha256               |
+| entities.url                        | url.full                       |
+| entities.filePath                   | file.path                      |
+| entities.fileName                   | file.name                      |
+| entities.userPrincipalName          | host.user.name                 |
+| entities.domainName                 | host.user.domain               |
+| entities.aadUserId                  | host.user.id                   |
+|======================================================================
+
 [float]
 ==== `defender_atp` fileset settings
 
@@ -109,7 +189,7 @@ This module comes with a sample dashboard for Defender ATP.
 [role="screenshot"]
 image::./images/filebeat-defender-atp-overview.png[]
 
-The best way to view Defender ATP events and alert data is in the SIEM. 
+The best way to view Defender ATP events and alert data is in the SIEM.
 
 [role="screenshot"]
 image::./images/siem-alerts-cs.jpg[]