diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 41052988f05..f296b15b107 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -142,6 +142,7 @@ /packages/mattermost @elastic/security-external-integrations /packages/memcached @elastic/obs-infraobs-integrations /packages/microsoft @elastic/security-external-integrations +/packages/microsoft_defender_cloud @elastic/security-external-integrations /packages/microsoft_defender_endpoint @elastic/security-external-integrations /packages/microsoft_dhcp @elastic/security-external-integrations /packages/microsoft_exchange_online_message_trace @elastic/security-external-integrations diff --git a/packages/microsoft_defender_cloud/_dev/build/build.yml b/packages/microsoft_defender_cloud/_dev/build/build.yml new file mode 100644 index 00000000000..84034dcea1e --- /dev/null +++ b/packages/microsoft_defender_cloud/_dev/build/build.yml @@ -0,0 +1,4 @@ +dependencies: + ecs: + reference: git@v8.8.0 + import_mappings: true diff --git a/packages/microsoft_defender_cloud/_dev/build/docs/README.md b/packages/microsoft_defender_cloud/_dev/build/docs/README.md new file mode 100644 index 00000000000..bf5c701b2c3 --- /dev/null +++ b/packages/microsoft_defender_cloud/_dev/build/docs/README.md @@ -0,0 +1,72 @@ +# Microsoft Defender for Cloud + +The [Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) integration allows you to monitor security alert events. When integrated with Elastic Security, this valuable data can be leveraged within Elastic for analyzing the resources and services that users are protecting through Microsoft Defender. + +Use the Microsoft Defender for Cloud integration to collect and parse data from **Azure Event Hub** and then visualize that data in Kibana. + +## Data streams + +The Microsoft Defender for Cloud integration collects one type of data: event. + +**Event** allows users to preserve a record of security events that occurred on the subscription, which includes real-time events that affect the security of the user's environment. For further information connected to security alerts and type, Refer to the page [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference). + +## Prerequisites + +To get started with Defender for Cloud, user must have a subscription to Microsoft Azure. + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. +- Elastic Agent is required to stream data from the **Azure Event Hub** and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.3.0**. + +## Setup + +### To collect data from Microsoft Azure Event Hub, follow the below steps: + +- Configure the Microsoft Defender for Cloud on Azure subscription. For more detail, refer to the link [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/get-started). + +### Enabling the integration in Elastic: + +1. In Kibana, go to Management > Integrations. +2. In the "Search for integrations" search bar, type Microsoft Defender for Cloud. +3. Click on the "Microsoft Defender for Cloud" integration from the search results. +4. Click on the Add Microsoft Defender for Cloud Integration button to add the integration. +5. While adding the integration, if you want to collect logs via **Azure Event Hub**, then you have to put the following details: + - eventhub + - consumer_group + - connection_string + - storage_account + - storage_account_key + - storage_account_container (optional) + - resource_manager_endpoint (optional) + +## Logs reference + +### Event + +This is the `Event` dataset. + +#### Example + +{{fields "event"}} diff --git a/packages/microsoft_defender_cloud/changelog.yml b/packages/microsoft_defender_cloud/changelog.yml new file mode 100644 index 00000000000..972d4764504 --- /dev/null +++ b/packages/microsoft_defender_cloud/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/6593 diff --git a/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log new file mode 100644 index 00000000000..a5d4bb8c446 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log @@ -0,0 +1,5 @@ +{"securityEventDataEnrichment":{"action":"Write","apiVersion":"2019-01-01-preview","isSnapshot":false,"interval":"00:00:00"},"id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/regulatoryComplianceStandards/Microsoft-cloud-security-benchmark/regulatoryComplianceControls/LT.5/regulatoryComplianceAssessments/45cfe080-ceb1-a91e-9743-71551ed24e94","name":"45cfe080-ceb1-a91e-9743-71551ed24e94","type":"Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls/regulatoryComplianceAssessments","properties":{"description":"Log Analytics agent should be installed on virtual machine scale sets","state":"Skipped","passedResources":0,"failedResources":0,"skippedResources":1,"assessmentType":"AssessmentResult","assessmentDetailsLink":"https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/45cfe080-ceb1-a91e-9743-71551ed24e94/initiativeId/Microsoft-cloud-security-benchmark"}} +{"assessmentEventDataEnrichment":{"action":"Delete","apiVersion":"2019-01-01","isSnapshot":false},"securityEventDataEnrichment":{"action":"Delete","apiVersion":"2019-01-01","isSnapshot":false},"tenantId":"aa40685b-417d-4664-b4ec-8f7640719adb","type":"Microsoft.Security/assessments","kind":null,"location":null,"id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e","name":"7b3d4796-9400-2904-692b-4a5ede7f0a1e","tags":null,"properties":{"resourceDetails":{"source":"Azure","id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf"},"displayName":"CORS should not allow every resource to access Function Apps","status":{"code":"Healthy","statusChangeDate":"2023-05-09T13:19:49.3381028Z","firstEvaluationDate":"2023-05-09T13:19:49.3381028Z"},"additionalData":{"kind":"Functionapp"},"metadata":{"displayName":"CORS should not allow every resource to access Function Apps","assessmentType":"BuiltIn","policyDefinitionId":"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","remediationDescription":"To allow only required domains to interact with your web app, we recommend the following steps:
1. Go to the app service CORS page
2. Remove the \"*\" defined and instead specify explicit origins that should be allowed to make cross-origin calls
3. Click Save","categories":["AppServices"],"severity":"Low","userImpact":"Low","implementationEffort":"Low","threats":["MaliciousInsider","AccountBreach"]},"links":{"azurePortal":"portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7b3d4796-9400-2904-692b-4a5ede7f0a1e/resourceId/%2fsubscriptions%2f12cabcb4-86e8-404f-a3d2-1dc9982f45ca%2fresourcegroups%2fmbranca-esf%2fproviders%2fmicrosoft.web%2fsites%2fmbranca-esf"}}} +{"securityEventDataEnrichment":{"action":"Insert","apiVersion":"2020-01-01","isSnapshot":false},"id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/secureScores/ascScore/secureScoreControls/61702b76-1fab-41f2-bcbc-50b7870dcf38","name":"61702b76-1fab-41f2-bcbc-50b7870dcf38","type":"Microsoft.Security/secureScores/secureScoreControls","properties":{"displayName":"Apply system updates","healthyResourceCount":0,"unhealthyResourceCount":3,"notApplicableResourceCount":1,"score":{"max":6,"current":0,"percentage":0},"definition":{"id":"/providers/Microsoft.Security/secureScoreControlDefinitions/61702b76-1fab-41f2-bcbc-50b7870dcf38","name":"61702b76-1fab-41f2-bcbc-50b7870dcf38","type":"Microsoft.Security/secureScoreControlDefinitions","properties":{"source":{"sourceType":"BuiltIn"},"displayName":"Apply system updates","maxScore":6,"assessmentDefinitions":[{"id":"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626"},{"id":"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08"},{"id":"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1"},{"id":"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27"},{"id":"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f"},{"id":"/providers/Microsoft.Security/assessmentMetadata/90386950-71ca-4357-a12e-486d1679427c"},{"id":"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94"},{"id":"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146"},{"id":"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5"},{"id":"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462"},{"id":"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45"},{"id":"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65"}]}},"weight":3}} +{"$type":"subAssessmentEvent","SubAssessmentEventDataEnrichment":{"$type":"subAssessmentEventDataEnrichment","Action":"Delete","ApiVersion":"2020-01-01","IsSnapshot":false},"SecurityEventDataEnrichment":{"$type":"subAssessmentEventDataEnrichment","Action":"Delete","ApiVersion":"2020-01-01","IsSnapshot":false},"TenantId":"aa40685b-417d-4664-b4ec-8f7640719adb","Type":"Microsoft.Security/assessments/subAssessments","Id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subassessments/93d2736e-7329-8806-3ef6-e71bb2203d11","Name":"93d2736e-7329-8806-3ef6-e71bb2203d11","Properties":{"$type":"response/subAssessmentProperties","Id":"93d2736e-7329-8806-3ef6-e71bb2203d11","DisplayName":"Ensure DCCP is disabled","Status":{"$type":"status","Code":"Unhealthy","Severity":"Low"},"Remediation":"Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'","Impact":"If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.","Category":"N/A","Description":"Ensure DCCP is disabled","TimeGenerated":"2023-05-12T09:58:32.2607101Z","ResourceDetails":{"$type":"resourceDetails/azure","Source":"Azure","Id":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372"},"AdditionalData":{"$type":"additionalData/general","AssessedResourceType":"GeneralVulnerability","Data":{"OsName":"Linux","RuleType":"Command","Vulnerability":"","AZID":"MSID 54","DataSourceType":"Not Applicable","DataSourceKey":"Not Applicable"}}}} +{"VendorName":"Microsoft","AlertType":"ARM_AnomalousServiceOperation.CredentialAccess","ProductName":"Microsoft Defender for Cloud","StartTimeUtc":"2023-05-11T13:15:45.0170422Z","EndTimeUtc":"2023-05-11T13:15:45.0170422Z","TimeGenerated":"2023-05-11T13:17:09.0170422Z","ProcessingEndTime":"2023-05-11T13:17:09.0170422Z","Severity":"Medium","Status":"New","ProviderAlertStatus":null,"ConfidenceLevel":null,"ConfidenceScore":null,"ConfidenceReasons":null,"IsIncident":false,"SystemAlertId":"2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d","CorrelationKey":null,"Intent":"PreAttack","AzureResourceId":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","WorkspaceId":"00000000-0000-0000-0000-000000000001","WorkspaceSubscriptionId":"00000000-0000-0000-0000-000000000001","WorkspaceResourceGroup":"Sample-RG","AgentId":null,"CompromisedEntity":"Sample-VM","AlertDisplayName":"[SAMPLE ALERT] Login from a suspicious IP","Description":"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.","Entities":[{"$id":"5","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"Virginia","City":"Washington","Longitude":-78.17197,"Latitude":38.73078,"Asn":8075},"ThreatIntelligence":[{"ProviderName":"AlertSimulator","ThreatType":"Sample-Type","ThreatName":"Sample-Threat","Confidence":1,"ThreatDescription":""}],"Asset":false,"Type":"ip"},{"$id":"6","ImageId":"sample-image:v1","Asset":false,"Type":"container-image"},{"$ref":"6"},{"$id":"5","DnsDomain":"","NTDomain":"","HostName":"Sample-VM","NetBiosName":"Sample-VM","AzureID":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","OMSAgentID":"00000000-0000-0000-0000-000000000001","OSFamily":"Linux","OSVersion":"Linux","Asset":false,"Type":"host"},{"$id":"6","ProcessId":"0x1e49a","CommandLine":"","Host":{"$ref":"5"},"Asset":false,"Type":"process"},{"$id":"7","Name":"Sample-account","Host":{"$ref":"5"},"Sid":"","Asset":false,"Type":"account","LogonId":"0xbd6e"},{"$id":"9","ProcessId":"0x1e99b","CommandLine":"php","CreationTimeUtc":"2023-05-11T13:17:49.1333596Z","ImageFile":{"$ref":"8"},"Account":{"$ref":"7"},"ParentProcess":{"$ref":"6"},"Host":{"$ref":"5"},"Asset":false,"Type":"process"},{"$id":"5","DomainName":"sample.domain","IpAddresses":[{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"California","City":"San Francisco","Longitude":0,"Latitude":0,"Asn":0},"Asset":false,"Type":"ip"}],"HostIpAddress":{"$ref":"6"},"Asset":false,"Type":"dns"},{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"sample","CountryName":"united states","State":"texas","City":"san antonio","Longitude":0,"Latitude":0,"Asn":0,"Carrier":"sample","Organization":"sample-organization","OrganizationType":"sample-organization","CloudProvider":"Azure","SystemService":"sample"},"ThreatIntelligence":[{"ProviderName":"Sample-Provider","ThreatType":"Sample-Threat","ThreatName":"Sample-Threat","Confidence":0.8,"ThreatDescription":"Sample-Threat"}],"Asset":false,"Type":"ip"},{"$id":"5","HostName":"Sample-VM","AzureID":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","OMSAgentID":"00000000-0000-0000-0000-000000000000","Asset":false,"Type":"host"},{"$id":"7","Directory":"Sample-fileShare/dummy/path/to","Name":"Sample-Name","FileHashes":[{"$id":"8","Algorithm":"MD5","Value":"Sample-SHA","Asset":false,"Type":"filehash"}],"Asset":false,"Type":"file"},{"$id":"9","Name":"Sample-Name","Category":"Virus","Files":[{"$ref":"8"}],"Asset":false,"Type":"malware"},{"$id":"5","DomainName":"sample.domain","IpAddresses":[{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"California","City":"San Francisco","Longitude":0,"Latitude":0,"Asn":0},"Asset":false,"Type":"ip"}],"HostIpAddress":{"$ref":"6"},"Asset":false,"Type":"dns"},{"$id":"7","Name":"Sample-account","NTDomain":"Sample-VM","Host":{"$ref":"5"},"Sid":"S-1-5-21-3061399664-1673012318-3185014992-20022","IsDomainJoined":false,"Asset":false,"Type":"account","LogonId":"0x427d8dd9"},{"$id":"7","Name":"Sample-namespace","Cluster":{"$ref":"5"},"Asset":false,"Type":"K8s-namespace"},{"$id":"8","Name":"sample-pod","Namespace":{"$ref":"7"},"Asset":false,"Type":"K8s-pod"},{"$id":"9","Name":"sample-container","Image":{"$ref":"4"},"Pod":{"$ref":"8"},"Asset":false,"Type":"container"},{"$id":"10","ProjectId":"012345678901","ResourceType":"GCP Resource","ResourceName":"Sample-Cluster","Location":"us-central1-c","LocationType":"Zonal","Asset":true,"Type":"gcp-resource","RelatedAzureResourceIds":["/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c"]},{"$id":"7","Name":"Sample-Name","BlobContainer":{"$ref":"5"},"Url":"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt","Etag":"Sample-Tag","Asset":false,"Type":"blob"},{"$id":"5","Name":"sample","UPNSuffix":"contoso.com","AadTenantId":"00000000-0000-0000-0000-000000000000","AadUserId":"00000000-0000-0000-0000-000000000000","Asset":false,"Type":"account"},{"$id":"5","CloudResource":{"$ref":"4"},"Asset":false,"Type":"K8s-cluster"},{"$id":"8","Directory":"https://Sample-Storage.blob.core.windows.net/Sample","Name":"Sample-Name","FileHashes":[{"$ref":"6"}],"Asset":false,"Type":"file"},{"$id":"10","ProjectId":"012345678901","ResourceType":"GCP Resource","ResourceName":"Sample-Cluster","Location":"us-central1-c","LocationType":"Zonal","Asset":true,"Type":"gcp-resource","RelatedAzureResourceIds":["/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c"]},{"$id":"6","SourceAddress":{"$ref":"5"},"Protocol":"Tcp","Asset":false,"Type":"network-connection"},{"$id":"7","Name":"Sample-Name","StorageResource":{"$ref":"4"},"Asset":false,"Type":"blob-container"},{"$id":"7","ContainerId":"cc8ec8580f4c","Image":{"$ref":"6"},"Asset":false,"Type":"container"},{"$id":"5","Address":"81.2.69.142","Location":{"CountryCode":"IN","CountryName":"United States","State":"Virginia","City":"Washington","Longitude":-78.17197,"Latitude":38.73078,"Asn":8075},"ThreatIntelligence":[{"ProviderName":"AlertSimulator","ThreatType":"Sample-Type","ThreatName":"Sample-Threat","Confidence":1,"ThreatDescription":""}],"Asset":false,"Type":"ip"}],"ExtendedLinks":[{"Href":"https://blog.netspi.com/gathering-bearer-tokens-azure/","Category":null,"Label":"NetSPI blogpost","Type":"webLink"},{"Href":"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1","Category":null,"Label":"MicroBurst source code","Type":"webLink"}],"ResourceIdentifiers":[{"$id":"2","AzureResourceId":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca","Type":"AzureResource","AzureResourceTenantId":"aa40685b-417d-4664-b4ec-8f7640719adb"},{"$id":"3","AadTenantId":"aa40685b-417d-4664-b4ec-8f7640719adb","Type":"AAD"},{"$id":"3","WorkspaceId":"00000000-0000-0000-0000-000000000001","WorkspaceSubscriptionId":"00000000-0000-0000-0000-000000000001","WorkspaceResourceGroup":"Sample-RG","AgentId":"00000000-0000-0000-0000-00000000000","Type":"LogAnalytics"}],"RemediationSteps":["Go to the firewall settings in order to lock down the firewall as tightly as possible."],"ExtendedProperties":{"resourceType":"Virtual Machine","Investigation steps":"{\"displayValue\":\"How to investigate this alert using logs at your Log Analytics workspace.\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2091064\"}","Potential causes":"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.","Client principal name":"Sample-user","Alert Id":"00000000-0000-0000-0000-000000000000","Client IP address":"81.2.69.142","Client IP location":"Sample","Client application":"Sample-app","OMS workspace ID":"00000000-0000-0000-0000-000000000001","OMS agent ID":"00000000-0000-0000-0000-000000000001"},"AlertUri":"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d/subscriptionId/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus"} \ No newline at end of file diff --git a/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log-expected.json b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log-expected.json new file mode 100644 index 00000000000..ed97fb86a2e --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-alert.log-expected.json @@ -0,0 +1,789 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"securityEventDataEnrichment\":{\"action\":\"Write\",\"apiVersion\":\"2019-01-01-preview\",\"isSnapshot\":false,\"interval\":\"00:00:00\"},\"id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/regulatoryComplianceStandards/Microsoft-cloud-security-benchmark/regulatoryComplianceControls/LT.5/regulatoryComplianceAssessments/45cfe080-ceb1-a91e-9743-71551ed24e94\",\"name\":\"45cfe080-ceb1-a91e-9743-71551ed24e94\",\"type\":\"Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls/regulatoryComplianceAssessments\",\"properties\":{\"description\":\"Log Analytics agent should be installed on virtual machine scale sets\",\"state\":\"Skipped\",\"passedResources\":0,\"failedResources\":0,\"skippedResources\":1,\"assessmentType\":\"AssessmentResult\",\"assessmentDetailsLink\":\"https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/45cfe080-ceb1-a91e-9743-71551ed24e94/initiativeId/Microsoft-cloud-security-benchmark\"}}", + "type": [ + "info" + ] + }, + "microsoft_defender_cloud": { + "event": { + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/regulatoryComplianceStandards/Microsoft-cloud-security-benchmark/regulatoryComplianceControls/LT.5/regulatoryComplianceAssessments/45cfe080-ceb1-a91e-9743-71551ed24e94", + "name": "45cfe080-ceb1-a91e-9743-71551ed24e94", + "properties": { + "assessment": { + "details_link": "https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/45cfe080-ceb1-a91e-9743-71551ed24e94/initiativeId/Microsoft-cloud-security-benchmark", + "type": "AssessmentResult" + }, + "description": "Log Analytics agent should be installed on virtual machine scale sets", + "failed_resources": 0, + "passed_resources": 0, + "skipped_resources": 1, + "state": "Skipped" + }, + "security_event_data_enrichment": { + "action": "Write", + "api_version": "2019-01-01-preview", + "interval": "00:00:00", + "is_snapshot": false + }, + "type": "Microsoft.Security/regulatoryComplianceStandards/regulatoryComplianceControls/regulatoryComplianceAssessments" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"assessmentEventDataEnrichment\":{\"action\":\"Delete\",\"apiVersion\":\"2019-01-01\",\"isSnapshot\":false},\"securityEventDataEnrichment\":{\"action\":\"Delete\",\"apiVersion\":\"2019-01-01\",\"isSnapshot\":false},\"tenantId\":\"aa40685b-417d-4664-b4ec-8f7640719adb\",\"type\":\"Microsoft.Security/assessments\",\"kind\":null,\"location\":null,\"id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\"name\":\"7b3d4796-9400-2904-692b-4a5ede7f0a1e\",\"tags\":null,\"properties\":{\"resourceDetails\":{\"source\":\"Azure\",\"id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf\"},\"displayName\":\"CORS should not allow every resource to access Function Apps\",\"status\":{\"code\":\"Healthy\",\"statusChangeDate\":\"2023-05-09T13:19:49.3381028Z\",\"firstEvaluationDate\":\"2023-05-09T13:19:49.3381028Z\"},\"additionalData\":{\"kind\":\"Functionapp\"},\"metadata\":{\"displayName\":\"CORS should not allow every resource to access Function Apps\",\"assessmentType\":\"BuiltIn\",\"policyDefinitionId\":\"/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\"description\":\"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.\",\"remediationDescription\":\"To allow only required domains to interact with your web app, we recommend the following steps:\u003cbr\u003e1. Go to the app service CORS page\u003cbr\u003e2. Remove the \\\"*\\\" defined and instead specify explicit origins that should be allowed to make cross-origin calls\u003cbr\u003e3. Click Save\",\"categories\":[\"AppServices\"],\"severity\":\"Low\",\"userImpact\":\"Low\",\"implementationEffort\":\"Low\",\"threats\":[\"MaliciousInsider\",\"AccountBreach\"]},\"links\":{\"azurePortal\":\"portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7b3d4796-9400-2904-692b-4a5ede7f0a1e/resourceId/%2fsubscriptions%2f12cabcb4-86e8-404f-a3d2-1dc9982f45ca%2fresourcegroups%2fmbranca-esf%2fproviders%2fmicrosoft.web%2fsites%2fmbranca-esf\"}}}", + "type": [ + "info" + ] + }, + "microsoft_defender_cloud": { + "event": { + "assessment_event_data_enrichment": { + "action": "Delete", + "api_version": "2019-01-01", + "is_snapshot": false + }, + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf/providers/Microsoft.Security/assessments/7b3d4796-9400-2904-692b-4a5ede7f0a1e", + "name": "7b3d4796-9400-2904-692b-4a5ede7f0a1e", + "properties": { + "additional_data": { + "kind": "Functionapp" + }, + "display_name": "CORS should not allow every resource to access Function Apps", + "links": { + "azure_portal": "portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/7b3d4796-9400-2904-692b-4a5ede7f0a1e/resourceId/%2fsubscriptions%2f12cabcb4-86e8-404f-a3d2-1dc9982f45ca%2fresourcegroups%2fmbranca-esf%2fproviders%2fmicrosoft.web%2fsites%2fmbranca-esf" + }, + "metadata": { + "assessment_type": "BuiltIn", + "categories": [ + "AppServices" + ], + "description": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.", + "display_name": "CORS should not allow every resource to access Function Apps", + "implementation_effort": "Low", + "policy_definition_id": "/providers/microsoft.authorization/policydefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", + "remediation_description": "To allow only required domains to interact with your web app, we recommend the following steps:\u003cbr\u003e1. Go to the app service CORS page\u003cbr\u003e2. Remove the \"*\" defined and instead specify explicit origins that should be allowed to make cross-origin calls\u003cbr\u003e3. Click Save", + "severity": "Low", + "threats": [ + "MaliciousInsider", + "AccountBreach" + ], + "user_impact": "Low" + }, + "resource_details": { + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-esf/providers/microsoft.web/sites/mbranca-esf", + "source": "Azure" + }, + "status": { + "code": "Healthy", + "first_evaluation_date": "2023-05-09T13:19:49.338Z", + "status_change_date": "2023-05-09T13:19:49.338Z" + } + }, + "security_event_data_enrichment": { + "action": "Delete", + "api_version": "2019-01-01", + "is_snapshot": false + }, + "tenant_id": "aa40685b-417d-4664-b4ec-8f7640719adb", + "type": "Microsoft.Security/assessments" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"securityEventDataEnrichment\":{\"action\":\"Insert\",\"apiVersion\":\"2020-01-01\",\"isSnapshot\":false},\"id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/secureScores/ascScore/secureScoreControls/61702b76-1fab-41f2-bcbc-50b7870dcf38\",\"name\":\"61702b76-1fab-41f2-bcbc-50b7870dcf38\",\"type\":\"Microsoft.Security/secureScores/secureScoreControls\",\"properties\":{\"displayName\":\"Apply system updates\",\"healthyResourceCount\":0,\"unhealthyResourceCount\":3,\"notApplicableResourceCount\":1,\"score\":{\"max\":6,\"current\":0,\"percentage\":0},\"definition\":{\"id\":\"/providers/Microsoft.Security/secureScoreControlDefinitions/61702b76-1fab-41f2-bcbc-50b7870dcf38\",\"name\":\"61702b76-1fab-41f2-bcbc-50b7870dcf38\",\"type\":\"Microsoft.Security/secureScoreControlDefinitions\",\"properties\":{\"source\":{\"sourceType\":\"BuiltIn\"},\"displayName\":\"Apply system updates\",\"maxScore\":6,\"assessmentDefinitions\":[{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/90386950-71ca-4357-a12e-486d1679427c\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45\"},{\"id\":\"/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65\"}]}},\"weight\":3}}", + "type": [ + "info" + ] + }, + "microsoft_defender_cloud": { + "event": { + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/providers/Microsoft.Security/secureScores/ascScore/secureScoreControls/61702b76-1fab-41f2-bcbc-50b7870dcf38", + "name": "61702b76-1fab-41f2-bcbc-50b7870dcf38", + "properties": { + "assessment": { + "definitions": [ + "{id=/providers/Microsoft.Security/assessmentMetadata/d1db3318-01ff-16de-29eb-28b344515626}", + "{id=/providers/Microsoft.Security/assessmentMetadata/27ac71b1-75c5-41c2-adc2-858f5db45b08}", + "{id=/providers/Microsoft.Security/assessmentMetadata/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1}", + "{id=/providers/Microsoft.Security/assessmentMetadata/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27}", + "{id=/providers/Microsoft.Security/assessmentMetadata/e1145ab1-eb4f-43d8-911b-36ddf771d13f}", + "{id=/providers/Microsoft.Security/assessmentMetadata/90386950-71ca-4357-a12e-486d1679427c}", + "{id=/providers/Microsoft.Security/assessmentMetadata/45cfe080-ceb1-a91e-9743-71551ed24e94}", + "{id=/providers/Microsoft.Security/assessmentMetadata/bd20bd91-aaf1-7f14-b6e4-866de2f43146}", + "{id=/providers/Microsoft.Security/assessmentMetadata/bc85a7ee-7f43-47ab-8736-4faaec9346b5}", + "{id=/providers/Microsoft.Security/assessmentMetadata/11c3f3c8-3c13-48be-9ee5-67b6865e7462}", + "{id=/providers/Microsoft.Security/assessmentMetadata/643a00cb-3da3-43ef-b523-15a0f3198e45}", + "{id=/providers/Microsoft.Security/assessmentMetadata/d352afac-cebc-4e02-b474-7ef402fb1d65}" + ] + }, + "definition": { + "display_name": "Apply system updates", + "id": "/providers/Microsoft.Security/secureScoreControlDefinitions/61702b76-1fab-41f2-bcbc-50b7870dcf38", + "max_score": 6, + "name": "61702b76-1fab-41f2-bcbc-50b7870dcf38", + "source_type": "BuiltIn", + "type": "Microsoft.Security/secureScoreControlDefinitions" + }, + "display_name": "Apply system updates", + "healthy_resource_count": 0, + "not_applicable_resource_count": 1, + "score": { + "current": 0.0, + "max": 6, + "percentage": 0.0 + }, + "unhealthy_resource_count": 3, + "weight": 3 + }, + "security_event_data_enrichment": { + "action": "Insert", + "api_version": "2020-01-01", + "is_snapshot": false + }, + "type": "Microsoft.Security/secureScores/secureScoreControls" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"$type\":\"subAssessmentEvent\",\"SubAssessmentEventDataEnrichment\":{\"$type\":\"subAssessmentEventDataEnrichment\",\"Action\":\"Delete\",\"ApiVersion\":\"2020-01-01\",\"IsSnapshot\":false},\"SecurityEventDataEnrichment\":{\"$type\":\"subAssessmentEventDataEnrichment\",\"Action\":\"Delete\",\"ApiVersion\":\"2020-01-01\",\"IsSnapshot\":false},\"TenantId\":\"aa40685b-417d-4664-b4ec-8f7640719adb\",\"Type\":\"Microsoft.Security/assessments/subAssessments\",\"Id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subassessments/93d2736e-7329-8806-3ef6-e71bb2203d11\",\"Name\":\"93d2736e-7329-8806-3ef6-e71bb2203d11\",\"Properties\":{\"$type\":\"response/subAssessmentProperties\",\"Id\":\"93d2736e-7329-8806-3ef6-e71bb2203d11\",\"DisplayName\":\"Ensure DCCP is disabled\",\"Status\":{\"$type\":\"status\",\"Code\":\"Unhealthy\",\"Severity\":\"Low\"},\"Remediation\":\"Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'\",\"Impact\":\"If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.\",\"Category\":\"N/A\",\"Description\":\"Ensure DCCP is disabled\",\"TimeGenerated\":\"2023-05-12T09:58:32.2607101Z\",\"ResourceDetails\":{\"$type\":\"resourceDetails/azure\",\"Source\":\"Azure\",\"Id\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372\"},\"AdditionalData\":{\"$type\":\"additionalData/general\",\"AssessedResourceType\":\"GeneralVulnerability\",\"Data\":{\"OsName\":\"Linux\",\"RuleType\":\"Command\",\"Vulnerability\":\"\",\"AZID\":\"MSID 54\",\"DataSourceType\":\"Not Applicable\",\"DataSourceKey\":\"Not Applicable\"}}}}", + "type": [ + "info" + ] + }, + "microsoft_defender_cloud": { + "event": { + "event_type": "subAssessmentEvent", + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372/providers/Microsoft.Security/assessments/c476dc48-8110-4139-91af-c8d940896b98/subassessments/93d2736e-7329-8806-3ef6-e71bb2203d11", + "name": "93d2736e-7329-8806-3ef6-e71bb2203d11", + "properties": { + "additional_data": { + "$type": "additionalData/general", + "assessedresourcetype": "GeneralVulnerability", + "data": { + "azid": "MSID 54", + "datasourcekey": "Not Applicable", + "datasourcetype": "Not Applicable", + "osname": "Linux", + "ruletype": "Command" + } + }, + "category": "N/A", + "description": "Ensure DCCP is disabled", + "display_name": "Ensure DCCP is disabled", + "id": "93d2736e-7329-8806-3ef6-e71bb2203d11", + "impact": "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.", + "remediation": "Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods'", + "resource_details": { + "id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourcegroups/mbranca-sdh-3372/providers/microsoft.compute/virtualmachines/sdh-3372", + "source": "Azure", + "type": "resourceDetails/azure" + }, + "status": { + "code": "Unhealthy", + "severity": "Low", + "type": "status" + }, + "time_generated": "2023-05-12T09:58:32.260Z", + "type": "response/subAssessmentProperties" + }, + "security_event_data_enrichment": { + "action": "Delete", + "api_version": "2020-01-01", + "is_snapshot": false, + "type": "subAssessmentEventDataEnrichment" + }, + "sub_assessment_event": { + "data_enrichment": { + "action": "Delete", + "api_version": "2020-01-01", + "is_snapshot": false, + "type": "subAssessmentEventDataEnrichment" + } + }, + "tenant_id": "aa40685b-417d-4664-b4ec-8f7640719adb", + "type": "Microsoft.Security/assessments/subAssessments" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2023-05-11T13:17:09.017Z", + "cloud": { + "provider": [ + "Azure" + ] + }, + "container": { + "id": [ + "cc8ec8580f4c" + ] + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "threat" + ], + "end": "2023-05-11T13:15:45.017Z", + "kind": "alert", + "original": "{\"VendorName\":\"Microsoft\",\"AlertType\":\"ARM_AnomalousServiceOperation.CredentialAccess\",\"ProductName\":\"Microsoft Defender for Cloud\",\"StartTimeUtc\":\"2023-05-11T13:15:45.0170422Z\",\"EndTimeUtc\":\"2023-05-11T13:15:45.0170422Z\",\"TimeGenerated\":\"2023-05-11T13:17:09.0170422Z\",\"ProcessingEndTime\":\"2023-05-11T13:17:09.0170422Z\",\"Severity\":\"Medium\",\"Status\":\"New\",\"ProviderAlertStatus\":null,\"ConfidenceLevel\":null,\"ConfidenceScore\":null,\"ConfidenceReasons\":null,\"IsIncident\":false,\"SystemAlertId\":\"2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d\",\"CorrelationKey\":null,\"Intent\":\"PreAttack\",\"AzureResourceId\":\"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\"WorkspaceId\":\"00000000-0000-0000-0000-000000000001\",\"WorkspaceSubscriptionId\":\"00000000-0000-0000-0000-000000000001\",\"WorkspaceResourceGroup\":\"Sample-RG\",\"AgentId\":null,\"CompromisedEntity\":\"Sample-VM\",\"AlertDisplayName\":\"[SAMPLE ALERT] Login from a suspicious IP\",\"Description\":\"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.\",\"Entities\":[{\"$id\":\"5\",\"Address\":\"81.2.69.142\",\"Location\":{\"CountryCode\":\"US\",\"CountryName\":\"United States\",\"State\":\"Virginia\",\"City\":\"Washington\",\"Longitude\":-78.17197,\"Latitude\":38.73078,\"Asn\":8075},\"ThreatIntelligence\":[{\"ProviderName\":\"AlertSimulator\",\"ThreatType\":\"Sample-Type\",\"ThreatName\":\"Sample-Threat\",\"Confidence\":1,\"ThreatDescription\":\"\"}],\"Asset\":false,\"Type\":\"ip\"},{\"$id\":\"6\",\"ImageId\":\"sample-image:v1\",\"Asset\":false,\"Type\":\"container-image\"},{\"$ref\":\"6\"},{\"$id\":\"5\",\"DnsDomain\":\"\",\"NTDomain\":\"\",\"HostName\":\"Sample-VM\",\"NetBiosName\":\"Sample-VM\",\"AzureID\":\"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\"OMSAgentID\":\"00000000-0000-0000-0000-000000000001\",\"OSFamily\":\"Linux\",\"OSVersion\":\"Linux\",\"Asset\":false,\"Type\":\"host\"},{\"$id\":\"6\",\"ProcessId\":\"0x1e49a\",\"CommandLine\":\"\",\"Host\":{\"$ref\":\"5\"},\"Asset\":false,\"Type\":\"process\"},{\"$id\":\"7\",\"Name\":\"Sample-account\",\"Host\":{\"$ref\":\"5\"},\"Sid\":\"\",\"Asset\":false,\"Type\":\"account\",\"LogonId\":\"0xbd6e\"},{\"$id\":\"9\",\"ProcessId\":\"0x1e99b\",\"CommandLine\":\"php\",\"CreationTimeUtc\":\"2023-05-11T13:17:49.1333596Z\",\"ImageFile\":{\"$ref\":\"8\"},\"Account\":{\"$ref\":\"7\"},\"ParentProcess\":{\"$ref\":\"6\"},\"Host\":{\"$ref\":\"5\"},\"Asset\":false,\"Type\":\"process\"},{\"$id\":\"5\",\"DomainName\":\"sample.domain\",\"IpAddresses\":[{\"$id\":\"6\",\"Address\":\"81.2.69.142\",\"Location\":{\"CountryCode\":\"US\",\"CountryName\":\"United States\",\"State\":\"California\",\"City\":\"San Francisco\",\"Longitude\":0,\"Latitude\":0,\"Asn\":0},\"Asset\":false,\"Type\":\"ip\"}],\"HostIpAddress\":{\"$ref\":\"6\"},\"Asset\":false,\"Type\":\"dns\"},{\"$id\":\"6\",\"Address\":\"81.2.69.142\",\"Location\":{\"CountryCode\":\"sample\",\"CountryName\":\"united states\",\"State\":\"texas\",\"City\":\"san antonio\",\"Longitude\":0,\"Latitude\":0,\"Asn\":0,\"Carrier\":\"sample\",\"Organization\":\"sample-organization\",\"OrganizationType\":\"sample-organization\",\"CloudProvider\":\"Azure\",\"SystemService\":\"sample\"},\"ThreatIntelligence\":[{\"ProviderName\":\"Sample-Provider\",\"ThreatType\":\"Sample-Threat\",\"ThreatName\":\"Sample-Threat\",\"Confidence\":0.8,\"ThreatDescription\":\"Sample-Threat\"}],\"Asset\":false,\"Type\":\"ip\"},{\"$id\":\"5\",\"HostName\":\"Sample-VM\",\"AzureID\":\"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM\",\"OMSAgentID\":\"00000000-0000-0000-0000-000000000000\",\"Asset\":false,\"Type\":\"host\"},{\"$id\":\"7\",\"Directory\":\"Sample-fileShare/dummy/path/to\",\"Name\":\"Sample-Name\",\"FileHashes\":[{\"$id\":\"8\",\"Algorithm\":\"MD5\",\"Value\":\"Sample-SHA\",\"Asset\":false,\"Type\":\"filehash\"}],\"Asset\":false,\"Type\":\"file\"},{\"$id\":\"9\",\"Name\":\"Sample-Name\",\"Category\":\"Virus\",\"Files\":[{\"$ref\":\"8\"}],\"Asset\":false,\"Type\":\"malware\"},{\"$id\":\"5\",\"DomainName\":\"sample.domain\",\"IpAddresses\":[{\"$id\":\"6\",\"Address\":\"81.2.69.142\",\"Location\":{\"CountryCode\":\"US\",\"CountryName\":\"United States\",\"State\":\"California\",\"City\":\"San Francisco\",\"Longitude\":0,\"Latitude\":0,\"Asn\":0},\"Asset\":false,\"Type\":\"ip\"}],\"HostIpAddress\":{\"$ref\":\"6\"},\"Asset\":false,\"Type\":\"dns\"},{\"$id\":\"7\",\"Name\":\"Sample-account\",\"NTDomain\":\"Sample-VM\",\"Host\":{\"$ref\":\"5\"},\"Sid\":\"S-1-5-21-3061399664-1673012318-3185014992-20022\",\"IsDomainJoined\":false,\"Asset\":false,\"Type\":\"account\",\"LogonId\":\"0x427d8dd9\"},{\"$id\":\"7\",\"Name\":\"Sample-namespace\",\"Cluster\":{\"$ref\":\"5\"},\"Asset\":false,\"Type\":\"K8s-namespace\"},{\"$id\":\"8\",\"Name\":\"sample-pod\",\"Namespace\":{\"$ref\":\"7\"},\"Asset\":false,\"Type\":\"K8s-pod\"},{\"$id\":\"9\",\"Name\":\"sample-container\",\"Image\":{\"$ref\":\"4\"},\"Pod\":{\"$ref\":\"8\"},\"Asset\":false,\"Type\":\"container\"},{\"$id\":\"10\",\"ProjectId\":\"012345678901\",\"ResourceType\":\"GCP Resource\",\"ResourceName\":\"Sample-Cluster\",\"Location\":\"us-central1-c\",\"LocationType\":\"Zonal\",\"Asset\":true,\"Type\":\"gcp-resource\",\"RelatedAzureResourceIds\":[\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\"]},{\"$id\":\"7\",\"Name\":\"Sample-Name\",\"BlobContainer\":{\"$ref\":\"5\"},\"Url\":\"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt\",\"Etag\":\"Sample-Tag\",\"Asset\":false,\"Type\":\"blob\"},{\"$id\":\"5\",\"Name\":\"sample\",\"UPNSuffix\":\"contoso.com\",\"AadTenantId\":\"00000000-0000-0000-0000-000000000000\",\"AadUserId\":\"00000000-0000-0000-0000-000000000000\",\"Asset\":false,\"Type\":\"account\"},{\"$id\":\"5\",\"CloudResource\":{\"$ref\":\"4\"},\"Asset\":false,\"Type\":\"K8s-cluster\"},{\"$id\":\"8\",\"Directory\":\"https://Sample-Storage.blob.core.windows.net/Sample\",\"Name\":\"Sample-Name\",\"FileHashes\":[{\"$ref\":\"6\"}],\"Asset\":false,\"Type\":\"file\"},{\"$id\":\"10\",\"ProjectId\":\"012345678901\",\"ResourceType\":\"GCP Resource\",\"ResourceName\":\"Sample-Cluster\",\"Location\":\"us-central1-c\",\"LocationType\":\"Zonal\",\"Asset\":true,\"Type\":\"gcp-resource\",\"RelatedAzureResourceIds\":[\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c\"]},{\"$id\":\"6\",\"SourceAddress\":{\"$ref\":\"5\"},\"Protocol\":\"Tcp\",\"Asset\":false,\"Type\":\"network-connection\"},{\"$id\":\"7\",\"Name\":\"Sample-Name\",\"StorageResource\":{\"$ref\":\"4\"},\"Asset\":false,\"Type\":\"blob-container\"},{\"$id\":\"7\",\"ContainerId\":\"cc8ec8580f4c\",\"Image\":{\"$ref\":\"6\"},\"Asset\":false,\"Type\":\"container\"},{\"$id\":\"5\",\"Address\":\"81.2.69.142\",\"Location\":{\"CountryCode\":\"IN\",\"CountryName\":\"United States\",\"State\":\"Virginia\",\"City\":\"Washington\",\"Longitude\":-78.17197,\"Latitude\":38.73078,\"Asn\":8075},\"ThreatIntelligence\":[{\"ProviderName\":\"AlertSimulator\",\"ThreatType\":\"Sample-Type\",\"ThreatName\":\"Sample-Threat\",\"Confidence\":1,\"ThreatDescription\":\"\"}],\"Asset\":false,\"Type\":\"ip\"}],\"ExtendedLinks\":[{\"Href\":\"https://blog.netspi.com/gathering-bearer-tokens-azure/\",\"Category\":null,\"Label\":\"NetSPI blogpost\",\"Type\":\"webLink\"},{\"Href\":\"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1\",\"Category\":null,\"Label\":\"MicroBurst source code\",\"Type\":\"webLink\"}],\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AzureResourceId\":\"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca\",\"Type\":\"AzureResource\",\"AzureResourceTenantId\":\"aa40685b-417d-4664-b4ec-8f7640719adb\"},{\"$id\":\"3\",\"AadTenantId\":\"aa40685b-417d-4664-b4ec-8f7640719adb\",\"Type\":\"AAD\"},{\"$id\":\"3\",\"WorkspaceId\":\"00000000-0000-0000-0000-000000000001\",\"WorkspaceSubscriptionId\":\"00000000-0000-0000-0000-000000000001\",\"WorkspaceResourceGroup\":\"Sample-RG\",\"AgentId\":\"00000000-0000-0000-0000-00000000000\",\"Type\":\"LogAnalytics\"}],\"RemediationSteps\":[\"Go to the firewall settings in order to lock down the firewall as tightly as possible.\"],\"ExtendedProperties\":{\"resourceType\":\"Virtual Machine\",\"Investigation steps\":\"{\\\"displayValue\\\":\\\"How to investigate this alert using logs at your Log Analytics workspace.\\\",\\\"kind\\\":\\\"Link\\\",\\\"value\\\":\\\"https:\\\\/\\\\/go.microsoft.com\\\\/fwlink\\\\/?linkid=2091064\\\"}\",\"Potential causes\":\"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.\",\"Client principal name\":\"Sample-user\",\"Alert Id\":\"00000000-0000-0000-0000-000000000000\",\"Client IP address\":\"81.2.69.142\",\"Client IP location\":\"Sample\",\"Client application\":\"Sample-app\",\"OMS workspace ID\":\"00000000-0000-0000-0000-000000000001\",\"OMS agent ID\":\"00000000-0000-0000-0000-000000000001\"},\"AlertUri\":\"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d/subscriptionId/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus\"}", + "provider": "Microsoft Defender for Cloud", + "reference": "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d/subscriptionId/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus", + "start": "2023-05-11T13:15:45.017Z", + "type": [ + "indicator" + ] + }, + "host": { + "domain": [ + "sample.domain" + ], + "geo": { + "city_name": [ + "Washington", + "san antonio" + ], + "country_iso_code": [ + "US", + "sample", + "IN" + ], + "country_name": [ + "United States", + "united states" + ] + }, + "hostname": [ + "Sample-VM" + ], + "os": { + "family": [ + "Linux" + ] + } + }, + "microsoft_defender_cloud": { + "event": { + "alert_type": "ARM_AnomalousServiceOperation.CredentialAccess", + "azure_resource_id": "/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM", + "compromised_entity": "Sample-VM", + "description": "THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.", + "display_name": "[SAMPLE ALERT] Login from a suspicious IP", + "end_time_utc": "2023-05-11T13:15:45.017Z", + "entities": [ + { + "address": "81.2.69.142", + "asset": false, + "id": "5", + "location": { + "asn": 8075, + "city": "Washington", + "country_code": "US", + "country_name": "United States", + "latitude": 38.73078, + "longitude": -78.17197, + "state": "Virginia" + }, + "threat_intelligence": [ + { + "confidence": 1.0, + "name": "Sample-Threat", + "provider_name": "AlertSimulator", + "type": "Sample-Type" + } + ], + "type": "ip" + }, + { + "asset": false, + "id": "6", + "image_id": "sample-image:v1", + "type": "container-image" + }, + { + "ref": "6" + }, + { + "asset": false, + "azure_id": "/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM", + "host_name": "Sample-VM", + "id": "5", + "net_bios_name": "Sample-VM", + "oms_agent_id": "00000000-0000-0000-0000-000000000001", + "os_family": "Linux", + "os_version": "Linux", + "type": "host" + }, + { + "asset": false, + "host": { + "ref": "5" + }, + "id": "6", + "process_id": "0x1e49a", + "type": "process" + }, + { + "asset": false, + "host": { + "ref": "5" + }, + "id": "7", + "logon_id": "0xbd6e", + "name": "Sample-account", + "type": "account" + }, + { + "account": { + "ref": "7" + }, + "asset": false, + "command_line": "php", + "creation_time_utc": "2023-05-11T13:17:49.133Z", + "host": { + "ref": "5" + }, + "id": "9", + "image_file": { + "ref": "8" + }, + "parent_process": { + "ref": "6" + }, + "process_id": "0x1e99b", + "type": "process" + }, + { + "asset": false, + "domain_name": "sample.domain", + "host_ip_address": { + "ref": "6" + }, + "id": "5", + "ip_addresses": [ + { + "address": "81.2.69.142", + "asset": false, + "id": "6", + "location": { + "asn": 0, + "city": "San Francisco", + "country_code": "US", + "country_name": "United States", + "latitude": 0, + "longitude": 0, + "state": "California" + }, + "type": "ip" + } + ], + "type": "dns" + }, + { + "address": "81.2.69.142", + "asset": false, + "id": "6", + "location": { + "asn": 0, + "carrier": "sample", + "city": "san antonio", + "cloud_provider": "Azure", + "country_code": "sample", + "country_name": "united states", + "latitude": 0.0, + "longitude": 0.0, + "organization": "sample-organization", + "organization_type": "sample-organization", + "state": "texas", + "system_service": "sample" + }, + "threat_intelligence": [ + { + "confidence": 0.8, + "description": "Sample-Threat", + "name": "Sample-Threat", + "provider_name": "Sample-Provider", + "type": "Sample-Threat" + } + ], + "type": "ip" + }, + { + "asset": false, + "azure_id": "/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM", + "host_name": "Sample-VM", + "id": "5", + "oms_agent_id": "00000000-0000-0000-0000-000000000000", + "type": "host" + }, + { + "asset": false, + "directory": "Sample-fileShare/dummy/path/to", + "file_hashes": [ + { + "algorithm": "MD5", + "asset": false, + "id": "8", + "type": "filehash", + "value": "Sample-SHA" + } + ], + "id": "7", + "name": "Sample-Name", + "type": "file" + }, + { + "asset": false, + "category": "Virus", + "files": [ + { + "ref": "8" + } + ], + "id": "9", + "name": "Sample-Name", + "type": "malware" + }, + { + "asset": false, + "domain_name": "sample.domain", + "host_ip_address": { + "ref": "6" + }, + "id": "5", + "ip_addresses": [ + { + "address": "81.2.69.142", + "asset": false, + "id": "6", + "location": { + "asn": 0, + "city": "San Francisco", + "country_code": "US", + "country_name": "United States", + "latitude": 0, + "longitude": 0, + "state": "California" + }, + "type": "ip" + } + ], + "type": "dns" + }, + { + "asset": false, + "host": { + "ref": "5" + }, + "id": "7", + "is_domain_joined": false, + "logon_id": "0x427d8dd9", + "name": "Sample-account", + "nt_domain": "Sample-VM", + "sid": "S-1-5-21-3061399664-1673012318-3185014992-20022", + "type": "account" + }, + { + "asset": false, + "cluster": { + "ref": "5" + }, + "id": "7", + "name": "Sample-namespace", + "type": "K8s-namespace" + }, + { + "asset": false, + "id": "8", + "name": "sample-pod", + "namespace": { + "ref": "7" + }, + "type": "K8s-pod" + }, + { + "asset": false, + "id": "9", + "image": { + "ref": "4" + }, + "name": "sample-container", + "pod": { + "ref": "8" + }, + "type": "container" + }, + { + "asset": true, + "id": "10", + "location_type": "Zonal", + "location_value": "us-central1-c", + "project_id": "012345678901", + "related_azure_resource_ids": [ + "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c" + ], + "resource_name": "Sample-Cluster", + "resource_type": "GCP Resource", + "type": "gcp-resource" + }, + { + "asset": false, + "blob_container": { + "ref": "5" + }, + "etag": "Sample-Tag", + "id": "7", + "name": "Sample-Name", + "type": "blob", + "url": "https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt" + }, + { + "aad_tenant_id": "00000000-0000-0000-0000-000000000000", + "aad_user_id": "00000000-0000-0000-0000-000000000000", + "asset": false, + "id": "5", + "name": "sample", + "type": "account", + "upn_suffix": "contoso.com" + }, + { + "asset": false, + "cloud_resource": { + "ref": "4" + }, + "id": "5", + "type": "K8s-cluster" + }, + { + "asset": false, + "directory": "https://Sample-Storage.blob.core.windows.net/Sample", + "file_hashes": [ + { + "ref": "6" + } + ], + "id": "8", + "name": "Sample-Name", + "type": "file" + }, + { + "asset": true, + "id": "10", + "location_type": "Zonal", + "location_value": "us-central1-c", + "project_id": "012345678901", + "related_azure_resource_ids": [ + "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c" + ], + "resource_name": "Sample-Cluster", + "resource_type": "GCP Resource", + "type": "gcp-resource" + }, + { + "asset": false, + "id": "6", + "protocol": "tcp", + "source_address": { + "ref": "5" + }, + "type": "network-connection" + }, + { + "asset": false, + "id": "7", + "name": "Sample-Name", + "storage_resource": { + "ref": "4" + }, + "type": "blob-container" + }, + { + "asset": false, + "container_id": "cc8ec8580f4c", + "id": "7", + "image": { + "ref": "6" + }, + "type": "container" + }, + { + "address": "81.2.69.142", + "asset": false, + "id": "5", + "location": { + "asn": 8075, + "city": "Washington", + "country_code": "IN", + "country_name": "United States", + "latitude": 38.73078, + "longitude": -78.17197, + "state": "Virginia" + }, + "threat_intelligence": [ + { + "confidence": 1.0, + "name": "Sample-Threat", + "provider_name": "AlertSimulator", + "type": "Sample-Type" + } + ], + "type": "ip" + } + ], + "extended_links": [ + { + "href": "https://blog.netspi.com/gathering-bearer-tokens-azure/", + "label": "NetSPI blogpost", + "type": "webLink" + }, + { + "href": "https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1", + "label": "MicroBurst source code", + "type": "webLink" + } + ], + "extended_properties": { + "alert id": "00000000-0000-0000-0000-000000000000", + "client application": "Sample-app", + "client ip address": "81.2.69.142", + "client ip location": "Sample", + "client principal name": "Sample-user", + "investigation steps": "{\"displayValue\":\"How to investigate this alert using logs at your Log Analytics workspace.\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2091064\"}", + "oms agent id": "00000000-0000-0000-0000-000000000001", + "oms workspace id": "00000000-0000-0000-0000-000000000001", + "potential causes": "An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.", + "resourcetype": "Virtual Machine" + }, + "intent": "PreAttack", + "is_incident": false, + "processing_end_time": "2023-05-11T13:17:09.017Z", + "product": { + "name": "Microsoft Defender for Cloud" + }, + "remediation_steps": [ + "Go to the firewall settings in order to lock down the firewall as tightly as possible." + ], + "resource_identifiers": [ + { + "azure_id": "/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca", + "azure_tenant_id": "aa40685b-417d-4664-b4ec-8f7640719adb", + "id": "2", + "type": "AzureResource" + }, + { + "aad_tenant_id": "aa40685b-417d-4664-b4ec-8f7640719adb", + "id": "3", + "type": "AAD" + }, + { + "agent_id": "00000000-0000-0000-0000-00000000000", + "id": "3", + "type": "LogAnalytics", + "workspace_id": "00000000-0000-0000-0000-000000000001", + "workspace_resource_group": "Sample-RG", + "workspace_subscription_id": "00000000-0000-0000-0000-000000000001" + } + ], + "severity": "Medium", + "start_time_utc": "2023-05-11T13:15:45.017Z", + "status": "New", + "system": { + "alert_id": "2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d" + }, + "time_generated": "2023-05-11T13:17:09.017Z", + "uri": "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d/subscriptionId/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus", + "vendor_name": "Microsoft", + "workspace": { + "id": "00000000-0000-0000-0000-000000000001", + "resource_group": "Sample-RG", + "subscription_id": "00000000-0000-0000-0000-000000000001" + } + } + }, + "network": { + "transport": [ + "tcp" + ] + }, + "observer": { + "vendor": "Microsoft" + }, + "process": { + "entity_id": [ + "0x1e49a", + "0x1e99b" + ] + }, + "related": { + "hosts": [ + "sample.domain", + "Sample-VM" + ], + "ip": [ + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "Sample-Storage.blob.core.windows.net", + "extension": "txt", + "original": "https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt", + "path": "/Sample/Sample.txt", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/microsoft_defender_cloud/data_stream/event/agent/stream/azure-eventhub.yml.hbs b/packages/microsoft_defender_cloud/data_stream/event/agent/stream/azure-eventhub.yml.hbs new file mode 100644 index 00000000000..89ae5dc4e22 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/agent/stream/azure-eventhub.yml.hbs @@ -0,0 +1,42 @@ +{{#if eventhub}} +eventhub: {{eventhub}} +{{/if}} +{{#if consumer_group}} +consumer_group: {{consumer_group}} +{{/if}} +{{#if connection_string}} +connection_string: {{connection_string}} +{{/if}} +{{#if storage_account}} +storage_account: {{storage_account}} +{{/if}} +{{#if storage_account_key}} +storage_account_key: {{storage_account_key}} +{{/if}} +{{#if storage_account_container }} +storage_account_container: {{storage_account_container}} +{{else}} +{{#if eventhub}} +storage_account_container: azure-eventhub-input-{{eventhub}} +{{/if}} +{{/if}} +{{#if resource_manager_endpoint}} +resource_manager_endpoint: {{resource_manager_endpoint}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/microsoft_defender_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..d25c1f85219 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1709 @@ +--- +description: Pipeline for processing Event(Alert and Recommendation) logs. +processors: + - set: + field: ecs.version + value: 8.8.0 + tag: set_ecs_version + - set: + field: event.kind + value: alert + tag: set_event_kind + - set: + field: event.category + value: [intrusion_detection] + tag: set_event_category + - set: + field: event.type + value: [info] + tag: set_event_type + - rename: + field: message + target_field: event.original + tag: rename_message + ignore_missing: true + - json: + field: event.original + target_field: json + tag: json_to_split_message + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: This script convert the json object key into lowercase. + if: ctx.json != null + tag: script_to_convert_json_object_key_into_lowercase + source: | + void handleMap(Map map) { + for (def x: map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + def keySet = map.keySet().toArray(); + for (def key: keySet) { + def lc = key.toLowerCase(); + map[lc] = map[key]; + if (key != lc) { + map.remove(key) + } + } + } + void handleList(List list) { + for (def x: list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - set: + field: event.type + value: [indicator] + tag: set_event_type + if: | + ctx.json?.alerttype != null && [ + 'arm_anomalousserviceoperation.credentialaccess', + 'arm_anomalousserviceoperation.collection', + 'arm_anomalousserviceoperation.defenseevasion', + 'arm_anomalousserviceoperation.execution', + 'arm_anomalousserviceoperation.impact', + 'arm_anomalousserviceoperation.initialaccess', + 'arm_anomalousserviceoperation.lateralmovement', + 'arm_anomalousserviceoperation.persistence', + 'arm_anomalousserviceoperation.privilegeescalation', + 'arm_unusedaccountpersistence', + 'arm_unusedapppowershellpersistence', + 'arm_unusedappibizapersistence', + 'arm_privilegedroledefinitioncreation', + 'arm_anomalousrbacroleassignment', + 'arm_anomalousoperation.credentialaccess', + 'arm_anomalousoperation.collection', + 'arm_anomalousoperation.defenseevasion', + 'arm_anomalousoperation.execution', + 'arm_anomalousoperation.impact', + 'arm_anomalousoperation.initialaccess', + 'arm_anomalousoperation.lateralmovement', + 'arm_anomalousoperation.persistence', + 'arm_anomalousoperation.privilegeescalation', + 'arm_microburst.runcodeonbehalf', + 'arm_netspi.maintainpersistence', + 'arm_powerzure.runcodeonbehalf', + 'arm_powerzure.maintainpersistence', + 'arm_anomalousclassicroleassignment' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [api] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'api_populationspikeinapitraffic', + 'api_spikeinapitraffic', + 'api_spikeinpayload', + 'api_spikeinlatency', + 'api_sprayinrequests', + 'api_parameterenumeration', + 'api_distributedparameterenumeration', + 'api_unseenparamtype', + 'api_unseenparam', + 'api_accessfromtorexitnode', + 'api_accessfromsuspiciousip', + 'api_accessfromsuspicioususeragent' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [authentication] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'vm_loginbruteforcesuccess', + 'vm_vmaccessunusualpasswordreset', + 'vm_sshkeyaddition', + 'vm_vmaccessunusualpasswordreset', + 'vm_vmaccessunusualsshreset', + 'sql.db_geoanomaly', + 'sql.vm_geoanomaly', + 'sql.dw_geoanomaly', + 'sql.mi_geoanomaly', + 'sql.db_principalanomaly', + 'sql.vm_principalanomaly', + 'sql.dw_principalanomaly', + 'sql.mi_principalanomaly', + 'sql.db_domainanomaly', + 'sql.vm_domainanomaly', + 'sql.dw_domainanomaly', + 'sql.mi_domainanomaly', + 'sql.db_bruteforce', + 'sql.vm_bruteforce', + 'sql.dw_bruteforce', + 'sql.mi_bruteforce', + 'sql.postgresql_bruteforce', + 'sql.mariadb_bruteforce', + 'sql.mysql_bruteforce', + 'sql.postgresql_principalanomaly', + 'sql.mariadb_principalanomaly', + 'sql.mysql_principalanomaly', + 'sql.mariadb_domainanomaly', + 'sql.postgresql_domainanomaly', + 'sql.mysql_domainanomaly', + 'sql.postgresql_datacenteranomaly', + 'sql.mariadb_datacenteranomaly', + 'sql.mysql_datacenteranomaly', + 'sql.postgresql_cloudprovideranomaly', + 'sql.mariadb_cloudprovideranomaly', + 'sql.mysql_cloudprovideranomaly', + 'sql.mariadb_geoanomaly', + 'sql.postgresql_geoanomaly', + 'sql.mysql_geoanomaly', + 'storage.blob_suspiciousapp', + 'storage.blob_suspiciousip', + 'storage.files_suspiciousip', + 'storage.blob_openacl', + 'storage.blob_toranomaly', + 'storage.files_toranomaly', + 'storage.blob_geoanomaly', + 'storage.files_geoanomaly', + 'storage.blob_anonymousaccessanomaly', + 'storage.blob_opencontainersscanning', + 'storage.blob_accessinspectionanomaly', + 'storage.files_accessinspectionanomaly', + 'cosmosdb_toranomaly', + 'cosmosdb_suspiciousip', + 'cosmosdb_geoanomaly', + 'kv_suspiciousipaccess', + 'kv_toraccess', + 'kv_accountvolumeaccessdeniedanomaly', + 'kv_useraccessdeniedanomaly', + 'kv_appanomaly', + 'kv_operationpatternanomaly', + 'kv_useranomaly', + 'kv_userappanomaly', + 'kv_accountvolumeanomaly', + 'kv_suspiciousipaccessdenied', + 'kv_unusualaccesssuspiciousip' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [configuration] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'k8s_exposedpostgrestrustauth', + 'k8s_exposedpostgresbroadiprange', + 'arm_azurite' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [malware] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'vm_ammalwarecampaignrelatedexclusion', + 'vm_filelessattacktoolkit', + 'vm_runbypsexec', + 'vm_svchostruninrareservicegroup', + 'vm_suspiciousactivity', + 'vm_loginbruteforcevaliduserfailed', + 'vm_customscriptextensionsuspiciousfailure', + 'vm_taskkillburst', + 'vm_vmaccessunusualsshreset', + 'vm_ambroadfilesexclusion', + 'vm_amdisablementandcodeexecution', + 'vm_amdisablement', + 'vm_amfileexclusionandcodeexecution', + 'vm_amtempfileexclusionandcodeexecution', + 'vm_amtempfileexclusion', + 'vm_amrealtimeprotectiondisabled', + 'vm_amtemprealtimeprotectiondisablement', + 'vm_amrealtimeprotectiondisablementandcodeexec', + 'vm_amtemporarilydisablement', + 'vm_unusualamfileexclusion', + 'vm_sshbruteforcefailed', + 'vm_filelessattackbehavior', + 'vm_filelessattacktechnique', + 'vm_mailserverexploitation', + 'vm_sshbruteforcesuccess', + 'vm_kubernetesdashboard', + 'vm_vmaccessunusualconfigreset', + 'vm_customscriptextensionunusualdeletion', + 'vm_customscriptextensionunusualexecution', + 'vm_harmfulapplication', + 'vm_suspiciousipanomaly', + 'appservices_base64encodedexecutableincommandlineparams', + 'appservices_suspectdownload', + 'appservices_eicar', + 'appservices_nmap', + 'appservices_phpinuploadfolder', + 'k8s_anomalouspoddeployment', + 'k8s_anomaloussecretaccess', + 'k8s_exposeddashboard', + 'k8s_exposedservice', + 'k8s_exposedredis', + 'sql.db_harmfulapplication', + 'sql.vm_harmfulapplication', + 'sql.mi_harmfulapplication', + 'sql.dw_harmfulapplication', + 'sql.db_suspiciousipanomaly', + 'sql.vm_suspiciousipanomaly', + 'sql.dw_suspiciousipanomaly', + 'sql.mi_suspiciousipanomaly', + 'sql.postgresql_suspiciousipanomaly', + 'sql.mariadb_suspiciousipanomaly', + 'sql.mysql_suspiciousipanomaly', + 'arm_operationfromsuspiciousip', + 'arm_operationfromsuspiciousproxyip', + 'arm_suspiciouscomputecreation', + 'arm_suspicious_vault_recovering', + 'arm_unusedaccountpersistence', + 'storage.files_widespreadeam', + 'storage.blob_malwarehashreputation', + 'storage.files_malwarehashreputation', + 'storage.blob_dataexfiltration.amountofdataanomaly', + 'storage.blob_dataexfiltration.numberofblobsanomaly', + 'storage.files_dataexfiltration.amountofdataanomaly', + 'storage.files_dataexfiltration.numberoffilesanomaly', + 'storage.blob_applicationanomaly', + 'storage.files_applicationanomaly', + 'storage.blob_dataexplorationanomaly', + 'storage.files_dataexplorationanomaly', + 'network_resourceipindicatedasmalicious' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [network] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'vm_filelessattackbehavior.windows', + 'vm_filelessattacktechnique.windows', + 'azuredns_threatintelsuspectdomain', + 'azuredns_protocolanomaly', + 'azuredns_darkweb', + 'azuredns_darkwebproxy', + 'azuredns_sinkholeddomain', + 'azuredns_phishingdomain', + 'azuredns_domaingenerationalgorithm', + 'azuredns_randomizeddomain', + 'azuredns_currencymining', + 'azuredns_suspiciousdomain', + 'azuredns_datainfiltration', + 'azuredns_dataexfiltration', + 'azuredns_dataobfuscation', + 'appservices_danglingdomain', + 'appservices_phishingcontent', + 'appservices_potentialdanglingdomain', + 'k8s_exposedkubeflow', + 'network_communicationwithc2', + 'network_ddos_detected', + 'network_ddos_mitigated', + 'sql_incoming_bf_onetoone', + 'ddos', + 'rdp_incoming_bf_manytoone', + 'rdp_incoming_bf_onetoone', + 'rdp_outgoing_bf_onetomany', + 'rdp_outgoing_bf_onetoone', + 'ssh_incoming_bf_manytoone', + 'ssh_incoming_bf_onetoone', + 'ssh_outgoing_bf_onetomany', + 'ssh_outgoing_bf_onetoone', + 'portscanning' + ].contains(ctx.json.alerttype.toLowerCase()) + - set: + field: event.category + value: [threat] + tag: set_event_category + if: | + ctx.json?.alerttype != null && [ + 'arm_anomalousserviceoperation.credentialaccess', + 'arm_anomalousserviceoperation.collection', + 'arm_anomalousserviceoperation.defenseevasion', + 'arm_anomalousserviceoperation.execution', + 'arm_anomalousserviceoperation.impact', + 'arm_anomalousserviceoperation.initialaccess', + 'arm_anomalousserviceoperation.lateralmovement', + 'arm_anomalousserviceoperation.persistence', + 'arm_anomalousserviceoperation.privilegeescalation', + 'arm_unusedapppowershellpersistence', + 'arm_unusedappibizapersistence', + 'arm_privilegedroledefinitioncreation', + 'arm_anomalousrbacroleassignment', + 'arm_anomalousoperation.credentialaccess', + 'arm_anomalousoperation.collection', + 'arm_anomalousoperation.defenseevasion', + 'arm_anomalousoperation.execution', + 'arm_anomalousoperation.impact', + 'arm_anomalousoperation.initialaccess', + 'arm_anomalousoperation.lateralmovement', + 'arm_anomalousoperation.persistence', + 'arm_anomalousoperation.privilegeescalation', + 'arm_microburst.runcodeonbehalf', + 'arm_netspi.maintainpersistence', + 'arm_powerzure.runcodeonbehalf', + 'arm_powerzure.maintainpersistence', + 'arm_anomalousclassicroleassignment' + ].contains(ctx.json.alerttype.toLowerCase()) + - rename: + field: json.$type + target_field: microsoft_defender_cloud.event.event_type + tag: rename_type + ignore_missing: true + - rename: + field: json.agentid + target_field: microsoft_defender_cloud.event.agent_id + tag: rename_agent_id + ignore_missing: true + - rename: + field: json.alertdisplayname + target_field: microsoft_defender_cloud.event.display_name + tag: rename_alert_display_name + ignore_missing: true + - rename: + field: json.alerttype + target_field: microsoft_defender_cloud.event.alert_type + tag: rename_alert_type + ignore_missing: true + - rename: + field: json.alerturi + target_field: microsoft_defender_cloud.event.uri + tag: rename_alert_uri + ignore_missing: true + - set: + field: event.reference + copy_from: microsoft_defender_cloud.event.uri + tag: set_event_reference + ignore_empty_value: true + - rename: + field: json.assessmenteventdataenrichment.action + target_field: microsoft_defender_cloud.event.assessment_event_data_enrichment.action + tag: rename_assessment_event_data_enrichment_action + ignore_missing: true + - rename: + field: json.assessmenteventdataenrichment.apiversion + target_field: microsoft_defender_cloud.event.assessment_event_data_enrichment.api_version + tag: rename_assessment_event_data_enrichment_api_version + ignore_missing: true + - convert: + field: json.assessmenteventdataenrichment.issnapshot + target_field: microsoft_defender_cloud.event.assessment_event_data_enrichment.is_snapshot + type: boolean + tag: convert_assessment_event_data_enrichment_is_snapshot_to_boolean + ignore_missing: true + if: ctx.json?.assessmenteventdataenrichment?.issnapshot != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.azureresourceid + target_field: microsoft_defender_cloud.event.azure_resource_id + tag: rename_azure_resource_id + ignore_missing: true + - rename: + field: json.compromisedentity + target_field: microsoft_defender_cloud.event.compromised_entity + tag: rename_compromised_entity + ignore_missing: true + - rename: + field: json.confidencelevel + target_field: microsoft_defender_cloud.event.confidence.level + tag: rename_confidence_level + ignore_missing: true + - rename: + field: json.confidencereasons + target_field: microsoft_defender_cloud.event.confidence.reasons + tag: rename_confidence_reasons + ignore_missing: true + - rename: + field: json.confidencescore + target_field: microsoft_defender_cloud.event.confidence.score + tag: rename_confidence_score + ignore_missing: true + - rename: + field: json.correlationkey + target_field: microsoft_defender_cloud.event.correlation_key + tag: rename_correlation_key + ignore_missing: true + - rename: + field: json.description + target_field: microsoft_defender_cloud.event.description + tag: rename_description + ignore_missing: true + - date: + field: json.endtimeutc + target_field: microsoft_defender_cloud.event.end_time_utc + tag: date_end_time_utc + formats: + - ISO8601 + if: ctx.json?.endtimeutc != null && ctx.json.endtimeutc != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + copy_from: microsoft_defender_cloud.event.end_time_utc + tag: set_event_end + ignore_empty_value: true + - script: + lang: painless + description: This script rename fields belongs to entities objects. + if: ctx.json?.entities != null + params: + "$id": "id" + "aadtenantid": "aad_tenant_id" + "aaduserid": "aad_user_id" + "$ref": "ref" + "amazonresourceid": "amazon_resource_id" + "azureid": "azure_id" + "files": "files" + "blobcontainer": "blob_container" + "cloudresource": "cloud_resource" + "commandline": "command_line" + "containerid": "container_id" + "creationtimeutc": "creation_time_utc" + "dnsdomain": "dns_domain" + "domainname": "domain_name" + "elevationtoken": "elevation_token" + "endtimeutc": "end_time_utc" + "filehashes": "file_hashes" + "hostipaddress": "host_ip_address" + "hostname": "host_name" + "imagefile": "image_file" + "imageid": "image_id" + "ipaddresses": "ip_addresses" + "countrycode": "country_code" + "countryname": "country_name" + "isdomainjoined": "is_domain_joined" + "isvalid": "is_valid" + "cloudprovider": "cloud_provider" + "organizationtype": "organization_type" + "systemservice": "system_service" + "logonid": "logon_id" + "netbiosname": "net_bios_name" + "ntdomain": "nt_domain" + "objectguid": "object_guid" + "omsagentid": "oms_agent_id" + "osfamily": "os_family" + "osversion": "os_version" + "parentprocess": "parent_process" + "processid": "process_id" + "projectid": "project_id" + "relatedazureresourceids": "related_azure_resource_ids" + "resourceid": "resource_id" + "resourcename": "resource_name" + "resourcetype": "resource_type" + "sessionid": "session_id" + "sourceaddress": "source_address" + "starttimeutc": "start_time_utc" + "storageresource": "storage_resource" + "threatintelligence": "threat_intelligence" + "providername": "provider_name" + "reportlink": "report_link" + "threatdescription": "description" + "threatname": "name" + "locationtype": "location_type" + "threattype": "type" + "upnsuffix": "upn_suffix" + tag: painless_to_rename_fields_under_entities_object + source: | + def renameKeys(Map json, Map keyMap) { + def updatedJson = new HashMap(); + for (def entry: json.entrySet()) { + def key = entry.getKey(); + def value = entry.getValue(); + if (value instanceof Map) { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = renameKeys(value, keyMap); + } else { + updatedJson[key] = renameKeys(value, keyMap); + } + } else if (value instanceof List) { + def updatedList = []; + for (def item: value) { + if (item instanceof Map) { + updatedList.add(renameKeys(item, keyMap)); + } else { + updatedList.add(item); + } + } + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = updatedList; + } else { + updatedJson[key] = value; + } + } else { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = value; + } else { + updatedJson[key] = value; + } + if (key=='location') { + updatedJson['location_value'] = value; + updatedJson.remove('location'); + } + } + } + return updatedJson; + } + def entities_obj = new ArrayList(); + for(entity in ctx.json.entities){ + entities_obj.add(renameKeys(entity, params)); + } + ctx.entities_obj=entities_obj; + - rename: + field: entities_obj + target_field: microsoft_defender_cloud.event.entities + tag: rename_entities_obj + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: cloud.provider + value: '{{{_ingest._value.location.cloud_provider}}}' + tag: append_location_cloud_provider_into_cloud_provider + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.creation_time_utc + target_field: _ingest._value.creation_time_utc + tag: date_entities_creation_time_utc + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.creation_time_utc + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.end_time_utc + target_field: _ingest._value.end_time_utc + tag: date_entities_end_time_utc + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.end_time_utc + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.start_time_utc + target_field: _ingest._value.start_time_utc + tag: date_entities_start_time_utc + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.start_time_utc + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: container.id + value: '{{{_ingest._value.container_id}}}' + tag: append_container_id_into_container_id + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.domain + value: '{{{_ingest._value.domain_name}}}' + tag: append_domain_name_into_host_domain + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: related.hosts + value: '{{{_ingest._value.domain_name}}}' + tag: append_domain_name_into_related_hosts + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.geo.city_name + value: '{{{_ingest._value.location.city}}}' + tag: append_location_city_into_host_geo_city_name + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.geo.country_iso_code + value: '{{{_ingest._value.location.country_code}}}' + tag: append_location_country_code_into_host_geo_country_iso_code + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.geo.country_name + value: '{{{_ingest._value.location.country_name}}}' + tag: append_location_country_name_into_host_geo_country_name + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.location.latitude + type: double + tag: convert_location_latitude_to_double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.latitude + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.location.longitude + type: double + tag: convert_location_longitude_to_double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.longitude + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.hostname + value: '{{{_ingest._value.host_name}}}' + tag: append_host_name_into_host_hostname + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: related.hosts + value: '{{{_ingest._value.host_name}}}' + tag: append_host_name_into_related_hosts + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: host.os.family + value: '{{{_ingest._value.os_family}}}' + tag: append_os_family_into_host_os_family + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + lowercase: + field: _ingest._value.protocol + tag: lowercase_protocol + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: network.transport + value: '{{{_ingest._value.protocol}}}' + tag: append_protocol_into_network_transport + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: process.entity_id + value: '{{{_ingest._value.process_id}}}' + tag: append_process_id_into_process_entity_id + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.address + type: ip + tag: convert_address_to_ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value.address}}}' + tag: append_address_into_related_ip + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.ip_addresses + ignore_missing: true + ignore_failure: true + processor: + convert: + field: _ingest._value.address + type: ip + tag: convert_ip_addresses_address_to_ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.ip_addresses + ignore_missing: true + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value.address}}}' + tag: append_address_into_related_ip + allow_duplicates: false + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.asset + type: boolean + tag: convert_asset_to_boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.asset + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.ip_addresses + ignore_missing: true + ignore_failure: true + processor: + convert: + field: _ingest._value.asset + type: boolean + tag: convert_ip_addresses_asset_to_boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.asset + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.ip_addresses + ignore_missing: true + ignore_failure: true + processor: + convert: + field: _ingest._value.location.asn + type: long + tag: convert_ip_addresses_location_asn_to_long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.asn + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.is_domain_joined + type: boolean + tag: convert_is_domain_joined_to_boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_domain_joined + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.is_valid + type: boolean + tag: convert_is_valid_to_boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.is_valid + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.location.asn + type: long + tag: convert_location_asn_to_long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.location.asn + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + uri_parts: + field: _ingest._value.url + tag: uri_parts_url + ignore_failure: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.threat_intelligence + ignore_missing: true + ignore_failure: true + processor: + convert: + field: _ingest._value.confidence + type: double + tag: convert_threat_intelligence_confidence_to_double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.confidence + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: This script rename fields belongs to the resource identifier objects. + if: ctx.json?.resourceidentifiers != null + params: + "$id": "id" + "aadtenantid": "aad_tenant_id" + "agentid": "agent_id" + "azureresourceid": "azure_id" + "azureresourcetenantid": "azure_tenant_id" + "workspaceid": "workspace_id" + "workspaceresourcegroup": "workspace_resource_group" + "workspacesubscriptionid": "workspace_subscription_id" + tag: script_to_rename_fields_under_resource_identifiers_object + source: | + def renameKeys(Map json, Map keyMap) { + def updatedJson = new HashMap(); + for (def entry: json.entrySet()) { + def key = entry.getKey(); + def value = entry.getValue(); + if (value instanceof Map) { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = renameKeys(value, keyMap); + } else { + updatedJson[key] = renameKeys(value, keyMap); + } + } else if (value instanceof List) { + def updatedList = []; + for (def item: value) { + if (item instanceof Map) { + updatedList.add(renameKeys(item, keyMap)); + } else { + updatedList.add(item); + } + } + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = updatedList; + } else { + updatedJson[key] = value; + } + } else { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = value; + } else { + updatedJson[key] = value; + } + } + } + return updatedJson; + } + def resource_identifier_obj = new ArrayList(); + for(entity in ctx.json.resourceidentifiers){ + resource_identifier_obj.add(renameKeys(entity, params)); + } + ctx.resource_identifier_obj=resource_identifier_obj; + - rename: + field: resource_identifier_obj + target_field: microsoft_defender_cloud.event.resource_identifiers + tag: rename_resource_identifier_obj + ignore_missing: true + - rename: + field: json.extendedlinks + target_field: microsoft_defender_cloud.event.extended_links + tag: rename_extended_links + ignore_missing: true + - rename: + field: json.extendedproperties + target_field: microsoft_defender_cloud.event.extended_properties + tag: rename_extended_properties + ignore_missing: true + - rename: + field: json.id + target_field: microsoft_defender_cloud.event.id + tag: rename_id + ignore_missing: true + - rename: + field: json.intent + target_field: microsoft_defender_cloud.event.intent + tag: rename_intent + ignore_missing: true + - convert: + field: json.isincident + target_field: microsoft_defender_cloud.event.is_incident + type: boolean + tag: convert_is_incident_to_boolean + ignore_missing: true + if: ctx.json?.isincident != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.kind + target_field: microsoft_defender_cloud.event.kind + tag: rename_kind + ignore_missing: true + - rename: + field: json.location + target_field: microsoft_defender_cloud.event.location + tag: rename_location + ignore_missing: true + - rename: + field: json.name + target_field: microsoft_defender_cloud.event.name + tag: rename_name + ignore_missing: true + - date: + field: json.processingendtime + target_field: microsoft_defender_cloud.event.processing_end_time + tag: date_processing_end_time + formats: + - ISO8601 + if: ctx.json?.processingendtime != null && ctx.json.processingendtime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.productname + target_field: microsoft_defender_cloud.event.product.name + tag: rename_product_name + ignore_missing: true + - set: + field: event.provider + copy_from: microsoft_defender_cloud.event.product.name + tag: set_event_provider + ignore_empty_value: true + - rename: + field: json.properties.$type + target_field: microsoft_defender_cloud.event.properties.type + tag: rename_properties_type + ignore_missing: true + - rename: + field: json.properties.assessmentdetailslink + target_field: microsoft_defender_cloud.event.properties.assessment.details_link + tag: rename_properties_assessment_details_link + ignore_missing: true + - rename: + field: json.properties.assessmenttype + target_field: microsoft_defender_cloud.event.properties.assessment.type + tag: rename_properties.assessment_type + ignore_missing: true + - rename: + field: json.properties.category + target_field: microsoft_defender_cloud.event.properties.category + tag: rename_properties_category + ignore_missing: true + - rename: + field: json.properties.definition.id + target_field: microsoft_defender_cloud.event.properties.definition.id + tag: rename_properties_definition_id + ignore_missing: true + - rename: + field: json.properties.definition.name + target_field: microsoft_defender_cloud.event.properties.definition.name + tag: rename_properties_definition_name + ignore_missing: true + - convert: + field: json.properties.definition.properties.assessmentdefinitions + target_field: microsoft_defender_cloud.event.properties.assessment.definitions + type: string + tag: convert_properties_definition_properties_assessment_definitions_to_string + ignore_missing: true + if: ctx.json?.properties?.definition?.properties?.assessmentdefinitions != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.definition.properties.displayname + target_field: microsoft_defender_cloud.event.properties.definition.display_name + tag: rename_properties_definition_properties_display_name + ignore_missing: true + - convert: + field: json.properties.definition.properties.maxscore + target_field: microsoft_defender_cloud.event.properties.definition.max_score + type: long + tag: convert_properties_definition_properties_max_score_to_long + ignore_missing: true + if: ctx.json?.properties?.definition?.properties?.maxscore != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.definition.properties.source.sourcetype + target_field: microsoft_defender_cloud.event.properties.definition.source_type + tag: rename_properties_definition_properties_source_source_type + ignore_missing: true + - rename: + field: json.properties.definition.type + target_field: microsoft_defender_cloud.event.properties.definition.type + tag: rename_properties_definition_type + ignore_missing: true + - rename: + field: json.properties.description + target_field: microsoft_defender_cloud.event.properties.description + tag: rename_properties_description + ignore_missing: true + - rename: + field: json.properties.displayname + target_field: microsoft_defender_cloud.event.properties.display_name + tag: rename_properties_display_name + ignore_missing: true + - rename: + field: json.properties.environment + target_field: microsoft_defender_cloud.event.properties.environment + tag: rename_properties_environment + ignore_missing: true + - convert: + field: json.properties.failedresources + target_field: microsoft_defender_cloud.event.properties.failed_resources + type: long + tag: convert_properties_failed_resources_to_long + ignore_missing: true + if: ctx.json?.properties?.failedresources != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.healthyresourcecount + target_field: microsoft_defender_cloud.event.properties.healthy_resource_count + type: long + tag: convert_properties_healthy_resource_count_to_long + ignore_missing: true + if: ctx.json?.properties?.healthyresourcecount != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.id + target_field: microsoft_defender_cloud.event.properties.id + tag: rename_properties_id + ignore_missing: true + - rename: + field: json.properties.impact + target_field: microsoft_defender_cloud.event.properties.impact + tag: rename_properties_impact + ignore_missing: true + - rename: + field: json.properties.links.azureportal + target_field: microsoft_defender_cloud.event.properties.links.azure_portal + tag: rename_properties_links_azure_portal + ignore_missing: true + - rename: + field: json.properties.metadata.assessmenttype + target_field: microsoft_defender_cloud.event.properties.metadata.assessment_type + tag: rename_properties_metadata_assessment_type + ignore_missing: true + - rename: + field: json.properties.metadata.categories + target_field: microsoft_defender_cloud.event.properties.metadata.categories + tag: rename_properties_metadata_categories + ignore_missing: true + - rename: + field: json.properties.metadata.description + target_field: microsoft_defender_cloud.event.properties.metadata.description + tag: rename_properties_metadata_description + ignore_missing: true + - rename: + field: json.properties.metadata.displayname + target_field: microsoft_defender_cloud.event.properties.metadata.display_name + tag: rename_properties_metadata_display_name + ignore_missing: true + - rename: + field: json.properties.metadata.implementationeffort + target_field: microsoft_defender_cloud.event.properties.metadata.implementation_effort + tag: rename_properties_metadata_implementation_effort + ignore_missing: true + - rename: + field: json.properties.metadata.policydefinitionid + target_field: microsoft_defender_cloud.event.properties.metadata.policy_definition_id + tag: rename_properties_metadata_policy_definition_id + ignore_missing: true + - convert: + field: json.properties.metadata.preview + target_field: microsoft_defender_cloud.event.properties.metadata.preview + type: boolean + tag: convert_properties_metadata_preview_to_boolean + ignore_missing: true + if: ctx.json?.properties?.metadata?.preview != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.metadata.remediationdescription + target_field: microsoft_defender_cloud.event.properties.metadata.remediation_description + tag: rename_properties_metadata_remediation_description + ignore_missing: true + - rename: + field: json.properties.metadata.severity + target_field: microsoft_defender_cloud.event.properties.metadata.severity + tag: rename_properties_metadata_severity + ignore_missing: true + - rename: + field: json.properties.metadata.threats + target_field: microsoft_defender_cloud.event.properties.metadata.threats + tag: rename_properties_metadata_threats + ignore_missing: true + - rename: + field: json.properties.metadata.userimpact + target_field: microsoft_defender_cloud.event.properties.metadata.user_impact + tag: rename_properties_metadata_user_impact + ignore_missing: true + - convert: + field: json.properties.notapplicableresourcecount + target_field: microsoft_defender_cloud.event.properties.not_applicable_resource_count + type: long + tag: convert_properties_not_applicable_resource_count_to_long + ignore_missing: true + if: ctx.json?.properties?.notapplicableresourcecount != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.passedresources + target_field: microsoft_defender_cloud.event.properties.passed_resources + type: long + tag: convert_properties_passed_resources_to_long + ignore_missing: true + if: ctx.json?.properties?.passedresources != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.remediation + target_field: microsoft_defender_cloud.event.properties.remediation + tag: rename_properties_remediation + ignore_missing: true + - rename: + field: json.properties.resourcedetails.$type + target_field: microsoft_defender_cloud.event.properties.resource_details.type + tag: rename_properties_resourcedetails_type + ignore_missing: true + - rename: + field: json.properties.resourcedetails.id + target_field: microsoft_defender_cloud.event.properties.resource_details.id + tag: rename_properties_resource_details_id + ignore_missing: true + - rename: + field: json.properties.resourcedetails.machinename + target_field: microsoft_defender_cloud.event.properties.resource_details.machine_name + tag: rename_properties_resource_details_machine_name + ignore_missing: true + - rename: + field: json.properties.resourcedetails.source + target_field: microsoft_defender_cloud.event.properties.resource_details.source + tag: rename_properties_resource_details_source + ignore_missing: true + - rename: + field: json.properties.resourcedetails.sourcecomputerid + target_field: microsoft_defender_cloud.event.properties.resource_details.source_computer_id + tag: rename_properties_resource_details_source_computer_id + ignore_missing: true + - rename: + field: json.properties.resourcedetails.vmuuid + target_field: microsoft_defender_cloud.event.properties.resource_details.vm_uuid + tag: rename_properties_resource_details_vm_uuid + ignore_missing: true + - rename: + field: json.properties.resourcedetails.workspaceid + target_field: microsoft_defender_cloud.event.properties.resource_details.workspace_id + tag: rename_properties_resource_details_workspace_id + ignore_missing: true + - convert: + field: json.properties.score.current + target_field: microsoft_defender_cloud.event.properties.score.current + type: double + tag: convert_properties_score_current_to_double + ignore_missing: true + if: ctx.json?.properties?.score?.current != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.score.max + target_field: microsoft_defender_cloud.event.properties.score.max + type: long + tag: convert_properties_score_max_to_long + ignore_missing: true + if: ctx.json?.properties?.score?.max != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.score.percentage + target_field: microsoft_defender_cloud.event.properties.score.percentage + type: double + tag: convert_properties_score_percentage_to_double + ignore_missing: true + if: ctx.json?.properties?.score?.percentage != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.skippedresources + target_field: microsoft_defender_cloud.event.properties.skipped_resources + type: long + tag: convert_properties_skipped_resources_to_long + ignore_missing: true + if: ctx.json?.properties?.skippedresources != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.state + target_field: microsoft_defender_cloud.event.properties.state + tag: rename_properties_state + ignore_missing: true + - rename: + field: json.properties.status.$type + target_field: microsoft_defender_cloud.event.properties.status.type + tag: rename_properties_status_type + ignore_missing: true + - rename: + field: json.properties.additionaldata + target_field: microsoft_defender_cloud.event.properties.additional_data + tag: rename_properties_additional_data + ignore_missing: true + - rename: + field: json.properties.status.cause + target_field: microsoft_defender_cloud.event.properties.status.cause + tag: rename_properties_status_cause + ignore_missing: true + - rename: + field: json.properties.status.code + target_field: microsoft_defender_cloud.event.properties.status.code + tag: rename_properties_status_code + ignore_missing: true + - rename: + field: json.properties.status.description + target_field: microsoft_defender_cloud.event.properties.status.description + tag: rename_properties_status_description + ignore_missing: true + - date: + field: json.properties.status.firstevaluationdate + target_field: microsoft_defender_cloud.event.properties.status.first_evaluation_date + tag: date_properties_status_first_evaluation_date + formats: + - ISO8601 + if: ctx.json?.properties?.status?.firstevaluationdate != null && ctx.json.properties.status.firstevaluationdate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.properties.status.severity + target_field: microsoft_defender_cloud.event.properties.status.severity + tag: rename_properties_status_severity + ignore_missing: true + - date: + field: json.properties.status.statuschangedate + target_field: microsoft_defender_cloud.event.properties.status.status_change_date + tag: date_properties_status_status_change_date + formats: + - ISO8601 + if: ctx.json?.properties?.status?.statuschangedate != null && ctx.json.properties.status.statuschangedate != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.properties.timegenerated + target_field: microsoft_defender_cloud.event.properties.time_generated + tag: date_properties_time_generated + formats: + - ISO8601 + if: ctx.json?.properties?.timegenerated != null && ctx.json.properties.timegenerated != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.unhealthyresourcecount + target_field: microsoft_defender_cloud.event.properties.unhealthy_resource_count + type: long + tag: convert_properties_unhealthy_resource_count_to_long + ignore_missing: true + if: ctx.json?.properties?.unhealthyresourcecount != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.properties.weight + target_field: microsoft_defender_cloud.event.properties.weight + type: long + tag: convert_properties_weight_to_long + ignore_missing: true + if: ctx.json?.properties?.weight != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.provideralertstatus + target_field: microsoft_defender_cloud.event.provider_alert_status + tag: rename_provider_alert_status + ignore_missing: true + - rename: + field: json.remediationsteps + target_field: microsoft_defender_cloud.event.remediation_steps + tag: rename_remediation_steps + ignore_missing: true + - rename: + field: json.securityeventdataenrichment.$type + target_field: microsoft_defender_cloud.event.security_event_data_enrichment.type + tag: rename_security_event_data_enrichment_type + ignore_missing: true + - rename: + field: json.securityeventdataenrichment.action + target_field: microsoft_defender_cloud.event.security_event_data_enrichment.action + tag: rename_security_event_data_enrichment_action + ignore_missing: true + - rename: + field: json.securityeventdataenrichment.apiversion + target_field: microsoft_defender_cloud.event.security_event_data_enrichment.api_version + tag: rename_security_event_data_enrichment_api_version + ignore_missing: true + - rename: + field: json.securityeventdataenrichment.interval + target_field: microsoft_defender_cloud.event.security_event_data_enrichment.interval + tag: rename_security_event_data_enrichment_interval + ignore_missing: true + - convert: + field: json.securityeventdataenrichment.issnapshot + target_field: microsoft_defender_cloud.event.security_event_data_enrichment.is_snapshot + type: boolean + tag: convert_security_event_data_enrichment_is_snapshot_to_boolean + ignore_missing: true + if: ctx.json?.securityeventdataenrichment?.issnapshot != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.severity + target_field: microsoft_defender_cloud.event.severity + tag: rename_severity + ignore_missing: true + - date: + field: json.starttimeutc + target_field: microsoft_defender_cloud.event.start_time_utc + tag: date_start_time_utc' + formats: + - ISO8601 + if: ctx.json?.starttimeutc != null && ctx.json.starttimeutc != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.start + copy_from: microsoft_defender_cloud.event.start_time_utc + tag: set_event_start + ignore_empty_value: true + - rename: + field: json.status + target_field: microsoft_defender_cloud.event.status + tag: rename_status + ignore_missing: true + - rename: + field: json.subassessmenteventdataenrichment.$type + target_field: microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.type + tag: rename_sub_assessment_event_data_enrichment_type + ignore_missing: true + - rename: + field: json.subassessmenteventdataenrichment.action + target_field: microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.action + tag: rename_sub_assessment_event_data_enrichment_action + ignore_missing: true + - rename: + field: json.subassessmenteventdataenrichment.apiversion + target_field: microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.api_version + tag: rename_sub_assessment_event_data_enrichment_api_version + ignore_missing: true + - convert: + field: json.subassessmenteventdataenrichment.issnapshot + target_field: microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.is_snapshot + type: boolean + tag: convert_sub_assessment_event_data_enrichmen_is_snapshot_to_boolean + ignore_missing: true + if: ctx.json?.subassessmenteventdataenrichment?.issnapshot != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.systemalertid + target_field: microsoft_defender_cloud.event.system.alert_id + tag: rename_system_alert_id + ignore_missing: true + - rename: + field: json.tags + target_field: microsoft_defender_cloud.event.tags + tag: rename_tags + ignore_missing: true + - rename: + field: json.tenantid + target_field: microsoft_defender_cloud.event.tenant_id + tag: rename_tenant_id + ignore_missing: true + - date: + field: json.timegenerated + target_field: microsoft_defender_cloud.event.time_generated + tag: date_time_generated_custom + formats: + - ISO8601 + if: ctx.json?.timegenerated != null && ctx.json.timegenerated != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.timegenerated + tag: date_time_generated + formats: + - ISO8601 + if: ctx.json?.timegenerated != null && ctx.json.timegenerated != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.type + target_field: microsoft_defender_cloud.event.type + tag: rename_type + ignore_missing: true + - rename: + field: json.vendorname + target_field: microsoft_defender_cloud.event.vendor_name + tag: rename_vendor_name + ignore_missing: true + - set: + field: observer.vendor + copy_from: microsoft_defender_cloud.event.vendor_name + tag: set_observer_vendor + ignore_empty_value: true + - rename: + field: json.workspaceid + target_field: microsoft_defender_cloud.event.workspace.id + tag: rename_workspace_id + ignore_missing: true + - rename: + field: json.workspaceresourcegroup + target_field: microsoft_defender_cloud.event.workspace.resource_group + tag: rename_workspace_resource_group + ignore_missing: true + - rename: + field: json.workspacesubscriptionid + target_field: microsoft_defender_cloud.event.workspace.subscription_id + tag: rename_workspace_subscription_id + ignore_missing: true + - foreach: + field: microsoft_defender_cloud.event.entities + if: ctx.microsoft_defender_cloud?.event?.entities instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.location.cloud_provider + - _ingest._value.container_id + - _ingest._value.domain_name + - _ingest._value.location.city + - _ingest._value.location.country_code + - _ingest._value.location.country_name + - _ingest._value.host_name + - _ingest._value.os_family + - _ingest._value.protocol + - _ingest._value.process_id + ignore_missing: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: + - microsoft_defender_cloud.event.uri + - microsoft_defender_cloud.event.end_time_utc + - microsoft_defender_cloud.event.product.name + - microsoft_defender_cloud.event.start_time_utc + - microsoft_defender_cloud.event.time_generated + - microsoft_defender_cloud.event.vendor_name + tag: remove_duplicate_custom_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + lang: painless + description: Drops null/empty values recursively. + tag: painless_remove_null + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + value: pipeline_error + tag: set_pipeline_error_into_event_kind + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/microsoft_defender_cloud/data_stream/event/fields/base-fields.yml b/packages/microsoft_defender_cloud/data_stream/event/fields/base-fields.yml new file mode 100644 index 00000000000..004de5cfade --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: microsoft_defender_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: microsoft_defender_cloud.event +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml b/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml new file mode 100644 index 00000000000..2d5ae254634 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml b/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml new file mode 100644 index 00000000000..41f47ef3247 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml @@ -0,0 +1,565 @@ +- name: microsoft_defender_cloud + type: group + fields: + - name: event + type: group + fields: + - name: agent_id + type: keyword + - name: alert_type + type: keyword + description: Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType). + - name: assessment_event_data_enrichment + type: group + fields: + - name: action + type: keyword + - name: api_version + type: keyword + - name: is_snapshot + type: boolean + - name: azure_resource_id + type: keyword + - name: compromised_entity + type: keyword + description: The display name of the resource most related to this alert. + - name: confidence + type: group + fields: + - name: level + type: keyword + - name: reasons + type: keyword + - name: score + type: keyword + - name: correlation_key + type: keyword + description: Key for corelating related alerts. Alerts with the same correlation key considered to be related. + - name: description + type: keyword + description: Description of the suspicious activity that was detected. + - name: display_name + type: keyword + description: The display name of the alert. + - name: end_time_utc + type: date + description: The UTC time of the last event or activity included in the alert in ISO8601 format. + - name: entities + type: group + description: A list of entities related to the alert. + fields: + - name: aad_tenant_id + type: keyword + - name: aad_user_id + type: keyword + - name: account + type: group + fields: + - name: ref + type: keyword + - name: address + type: ip + - name: algorithm + type: keyword + - name: amazon_resource_id + type: keyword + - name: asset + type: boolean + - name: azure_id + type: keyword + - name: blob_container + type: group + fields: + - name: ref + type: keyword + - name: category + type: keyword + - name: cloud_resource + type: group + fields: + - name: ref + type: keyword + - name: cluster + type: group + fields: + - name: ref + type: keyword + - name: command_line + type: keyword + - name: container_id + type: keyword + - name: creation_time_utc + type: date + - name: directory + type: keyword + - name: dns_domain + type: keyword + - name: domain_name + type: keyword + - name: elevation_token + type: keyword + - name: end_time_utc + type: date + - name: etag + type: keyword + - name: file_hashes + type: group + fields: + - name: ref + type: keyword + - name: files + type: group + fields: + - name: ref + type: keyword + - name: host + type: group + fields: + - name: ref + type: keyword + - name: host_ip_address + type: group + fields: + - name: ref + type: keyword + - name: host_name + type: keyword + - name: id + type: keyword + - name: image + type: group + fields: + - name: ref + type: keyword + - name: image_file + type: group + fields: + - name: ref + type: keyword + - name: image_id + type: keyword + - name: ip_addresses + type: group + fields: + - name: address + type: ip + - name: asset + type: boolean + - name: id + type: keyword + - name: location + type: group + fields: + - name: asn + type: long + - name: city + type: keyword + - name: country_code + type: keyword + - name: country_name + type: keyword + - name: latitude + type: double + - name: longitude + type: double + - name: state + type: keyword + - name: type + type: keyword + - name: is_domain_joined + type: boolean + - name: is_valid + type: boolean + - name: location + type: group + fields: + - name: asn + type: long + - name: carrier + type: keyword + - name: city + type: keyword + - name: cloud_provider + type: keyword + - name: country_code + type: keyword + - name: country_name + type: keyword + - name: latitude + type: double + - name: longitude + type: double + - name: organization + type: keyword + - name: organization_type + type: keyword + - name: state + type: keyword + - name: system_service + type: keyword + - name: location_type + type: keyword + - name: location_value + type: keyword + - name: logon_id + type: keyword + - name: name + type: keyword + - name: namespace + type: group + fields: + - name: ref + type: keyword + - name: net_bios_name + type: keyword + - name: nt_domain + type: keyword + - name: object_guid + type: keyword + - name: oms_agent_id + type: keyword + - name: os_family + type: keyword + - name: os_version + type: keyword + - name: parent_process + type: group + fields: + - name: ref + type: keyword + - name: pod + type: group + fields: + - name: ref + type: keyword + - name: process_id + type: keyword + - name: project_id + type: keyword + - name: protocol + type: keyword + - name: related_azure_resource_ids + type: keyword + - name: resource_id + type: keyword + - name: resource_name + type: keyword + - name: resource_type + type: keyword + - name: session_id + type: keyword + - name: sid + type: keyword + - name: source_address + type: group + fields: + - name: ref + type: keyword + - name: start_time_utc + type: date + - name: storage_resource + type: group + fields: + - name: ref + type: keyword + - name: threat_intelligence + type: group + fields: + - name: confidence + type: double + - name: description + type: keyword + - name: name + type: keyword + - name: provider_name + type: keyword + - name: report_link + type: keyword + - name: type + type: keyword + - name: type + type: keyword + - name: upn_suffix + type: keyword + - name: url + type: keyword + - name: value + type: keyword + - name: event_type + type: keyword + - name: extended_links + type: group + fields: + - name: category + type: keyword + description: Links related to the alert + - name: href + type: keyword + - name: label + type: keyword + - name: type + type: keyword + - name: extended_properties + type: flattened + description: Custom properties for the alert. + - name: id + type: keyword + description: Resource Id. + - name: intent + type: keyword + description: The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. + - name: is_incident + type: boolean + description: This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. + - name: kind + type: keyword + - name: location + type: keyword + - name: name + type: keyword + description: Resource name. + - name: processing_end_time + type: date + description: The UTC processing end time of the alert in ISO8601 format. + - name: product + type: group + fields: + - name: name + type: keyword + description: The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on). + - name: properties + type: group + fields: + - name: additional_data + type: flattened + - name: assessment + type: group + fields: + - name: definitions + type: keyword + - name: details_link + type: keyword + - name: type + type: keyword + - name: category + type: keyword + - name: definition + type: group + fields: + - name: display_name + type: keyword + - name: id + type: keyword + - name: max_score + type: long + - name: name + type: keyword + - name: source_type + type: keyword + - name: type + type: keyword + - name: description + type: keyword + - name: display_name + type: keyword + - name: environment + type: keyword + - name: failed_resources + type: long + - name: healthy_resource_count + type: long + - name: id + type: keyword + - name: impact + type: keyword + - name: links + type: group + fields: + - name: azure_portal + type: keyword + - name: metadata + type: group + fields: + - name: assessment_type + type: keyword + - name: categories + type: keyword + - name: description + type: keyword + - name: display_name + type: keyword + - name: implementation_effort + type: keyword + - name: policy_definition_id + type: keyword + - name: preview + type: boolean + - name: remediation_description + type: keyword + - name: severity + type: keyword + - name: threats + type: keyword + - name: user_impact + type: keyword + - name: not_applicable_resource_count + type: long + - name: passed_resources + type: long + - name: remediation + type: keyword + - name: resource_details + type: group + fields: + - name: id + type: keyword + - name: machine_name + type: keyword + - name: source + type: keyword + - name: source_computer_id + type: keyword + - name: type + type: keyword + - name: vm_uuid + type: keyword + - name: workspace_id + type: keyword + - name: score + type: group + fields: + - name: current + type: double + - name: max + type: long + - name: percentage + type: double + - name: skipped_resources + type: long + - name: state + type: keyword + - name: status + type: group + fields: + - name: cause + type: keyword + - name: code + type: keyword + - name: description + type: keyword + - name: first_evaluation_date + type: date + - name: severity + type: keyword + - name: status_change_date + type: date + - name: type + type: keyword + - name: time_generated + type: date + - name: type + type: keyword + - name: unhealthy_resource_count + type: long + - name: weight + type: long + - name: provider_alert_status + type: keyword + - name: remediation_steps + type: keyword + description: Manual action items to take to remediate the alert. + - name: resource_identifiers + type: group + fields: + - name: aad_tenant_id + type: keyword + - name: agent_id + type: keyword + description: (optional) The LogAnalytics agent id reporting the event that this alert is based on. + - name: azure_id + type: keyword + description: ARM resource identifier for the cloud resource being alerted on + - name: azure_tenant_id + type: keyword + - name: id + type: keyword + description: The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. + - name: type + type: keyword + description: There can be multiple identifiers of different type per alert, this field specify the identifier type. + - name: workspace_id + type: keyword + description: The LogAnalytics workspace id that stores this alert. + - name: workspace_resource_group + type: keyword + description: The azure resource group for the LogAnalytics workspace storing this alert + - name: workspace_subscription_id + type: keyword + description: The azure subscription id for the LogAnalytics workspace storing this alert. + - name: security_event_data_enrichment + type: group + fields: + - name: action + type: keyword + - name: api_version + type: keyword + - name: interval + type: keyword + - name: is_snapshot + type: boolean + - name: type + type: keyword + - name: severity + type: keyword + description: The risk level of the threat that was detected. + - name: start_time_utc + type: date + description: The UTC time of the first event or activity included in the alert in ISO8601 format. + - name: status + type: keyword + description: The life cycle status of the alert. + - name: sub_assessment_event + type: group + fields: + - name: data_enrichment + type: group + fields: + - name: action + type: keyword + - name: api_version + type: keyword + - name: is_snapshot + type: boolean + - name: type + type: keyword + - name: system + type: group + fields: + - name: alert_id + type: keyword + description: Unique identifier for the alert. + - name: tags + type: keyword + - name: tenant_id + type: keyword + - name: time_generated + type: date + description: The UTC time the alert was generated in ISO8601 format. + - name: type + type: keyword + description: Resource type. + - name: uri + type: keyword + description: A direct link to the alert page in Azure Portal. + - name: vendor_name + type: keyword + description: The name of the vendor that raises the alert. + - name: workspace + type: group + fields: + - name: id + type: keyword + - name: resource_group + type: keyword + - name: subscription_id + type: keyword diff --git a/packages/microsoft_defender_cloud/data_stream/event/manifest.yml b/packages/microsoft_defender_cloud/data_stream/event/manifest.yml new file mode 100644 index 00000000000..3bcc4ec4095 --- /dev/null +++ b/packages/microsoft_defender_cloud/data_stream/event/manifest.yml @@ -0,0 +1,98 @@ +title: Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud. +type: logs +streams: + - input: azure-eventhub + title: Microsoft Defender for Cloud Event(Alert and Recommendation) + description: Collect Event(Alert and Recommendation) logs from Microsoft Defender for Cloud via Azure Event Hub. + template_path: azure-eventhub.yml.hbs + vars: + - name: eventhub + type: text + title: Azure Event Hub + multi: false + required: true + show_user: true + description: >- + Elastic recommends using one Azure Event Hub for each integration. Visit [Create an Azure Event Hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use Azure Event Hub names up to 30 characters long to avoid compatibility issues. + - name: consumer_group + type: text + title: Consumer Group + multi: false + required: true + show_user: true + default: $Default + description: >- + We recommend using a dedicated consumer group for the Azure Event Hub input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events. + - name: connection_string + type: password + title: Connection String + multi: false + required: true + show_user: true + description: >- + The connection string required to communicate with Azure Event Hubs. See [Get an Azure Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more. + - name: storage_account + type: text + title: Storage Account + multi: false + required: true + show_user: true + description: >- + The name of the storage account where the consumer group's state/offsets will be stored and updated. + - name: storage_account_key + type: text + title: Storage Account Key + multi: false + required: true + show_user: true + description: >- + The storage account key will be used to authorise access to data in your storage account. + - name: storage_account_container + type: text + title: Storage Account Container + multi: false + required: false + show_user: false + description: >- + The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You must use a dedicated storage account container for each Azure log type. Do not reuse the same container name for more than one Azure log type. See [Container Names] (Naming and Referencing Containers, Blobs, and Metadata - Azure Storage) for details on naming rules from Microsoft. The integration generates a default container name if not specified. + - name: resource_manager_endpoint + type: text + title: Resource Manager Endpoint + multi: false + required: false + show_user: false + description: >- + By default, we are using the Azure public environment. To override this, users can provide a specific resource manager endpoint in order to use a different Azure environment. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - microsoft_defender_cloud-event + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserve a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve microsoft_defender_cloud.event fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/microsoft_defender_cloud/docs/README.md b/packages/microsoft_defender_cloud/docs/README.md new file mode 100644 index 00000000000..b676d49901c --- /dev/null +++ b/packages/microsoft_defender_cloud/docs/README.md @@ -0,0 +1,292 @@ +# Microsoft Defender for Cloud + +The [Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) integration allows you to monitor security alert events. When integrated with Elastic Security, this valuable data can be leveraged within Elastic for analyzing the resources and services that users are protecting through Microsoft Defender. + +Use the Microsoft Defender for Cloud integration to collect and parse data from **Azure Event Hub** and then visualize that data in Kibana. + +## Data streams + +The Microsoft Defender for Cloud integration collects one type of data: event. + +**Event** allows users to preserve a record of security events that occurred on the subscription, which includes real-time events that affect the security of the user's environment. For further information connected to security alerts and type, Refer to the page [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference). + +## Prerequisites + +To get started with Defender for Cloud, user must have a subscription to Microsoft Azure. + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. +- Elastic Agent is required to stream data from the **Azure Event Hub** and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.3.0**. + +## Setup + +### To collect data from Microsoft Azure Event Hub, follow the below steps: + +- Configure the Microsoft Defender for Cloud on Azure subscription. For more detail, refer to the link [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/get-started). + +### Enabling the integration in Elastic: + +1. In Kibana, go to Management > Integrations. +2. In the "Search for integrations" search bar, type Microsoft Defender for Cloud. +3. Click on the "Microsoft Defender for Cloud" integration from the search results. +4. Click on the Add Microsoft Defender for Cloud Integration button to add the integration. +5. While adding the integration, if you want to collect logs via **Azure Event Hub**, then you have to put the following details: + - eventhub + - consumer_group + - connection_string + - storage_account + - storage_account_key + - storage_account_container (optional) + - resource_manager_endpoint (optional) + +## Logs reference + +### Event + +This is the `Event` dataset. + +#### Example + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| microsoft_defender_cloud.event.agent_id | | keyword | +| microsoft_defender_cloud.event.alert_type | Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType). | keyword | +| microsoft_defender_cloud.event.assessment_event_data_enrichment.action | | keyword | +| microsoft_defender_cloud.event.assessment_event_data_enrichment.api_version | | keyword | +| microsoft_defender_cloud.event.assessment_event_data_enrichment.is_snapshot | | boolean | +| microsoft_defender_cloud.event.azure_resource_id | | keyword | +| microsoft_defender_cloud.event.compromised_entity | The display name of the resource most related to this alert. | keyword | +| microsoft_defender_cloud.event.confidence.level | | keyword | +| microsoft_defender_cloud.event.confidence.reasons | | keyword | +| microsoft_defender_cloud.event.confidence.score | | keyword | +| microsoft_defender_cloud.event.correlation_key | Key for corelating related alerts. Alerts with the same correlation key considered to be related. | keyword | +| microsoft_defender_cloud.event.description | Description of the suspicious activity that was detected. | keyword | +| microsoft_defender_cloud.event.display_name | The display name of the alert. | keyword | +| microsoft_defender_cloud.event.end_time_utc | The UTC time of the last event or activity included in the alert in ISO8601 format. | date | +| microsoft_defender_cloud.event.entities.aad_tenant_id | | keyword | +| microsoft_defender_cloud.event.entities.aad_user_id | | keyword | +| microsoft_defender_cloud.event.entities.account.ref | | keyword | +| microsoft_defender_cloud.event.entities.address | | ip | +| microsoft_defender_cloud.event.entities.algorithm | | keyword | +| microsoft_defender_cloud.event.entities.amazon_resource_id | | keyword | +| microsoft_defender_cloud.event.entities.asset | | boolean | +| microsoft_defender_cloud.event.entities.azure_id | | keyword | +| microsoft_defender_cloud.event.entities.blob_container.ref | | keyword | +| microsoft_defender_cloud.event.entities.category | | keyword | +| microsoft_defender_cloud.event.entities.cloud_resource.ref | | keyword | +| microsoft_defender_cloud.event.entities.cluster.ref | | keyword | +| microsoft_defender_cloud.event.entities.command_line | | keyword | +| microsoft_defender_cloud.event.entities.container_id | | keyword | +| microsoft_defender_cloud.event.entities.creation_time_utc | | date | +| microsoft_defender_cloud.event.entities.directory | | keyword | +| microsoft_defender_cloud.event.entities.dns_domain | | keyword | +| microsoft_defender_cloud.event.entities.domain_name | | keyword | +| microsoft_defender_cloud.event.entities.elevation_token | | keyword | +| microsoft_defender_cloud.event.entities.end_time_utc | | date | +| microsoft_defender_cloud.event.entities.etag | | keyword | +| microsoft_defender_cloud.event.entities.file_hashes.ref | | keyword | +| microsoft_defender_cloud.event.entities.files.ref | | keyword | +| microsoft_defender_cloud.event.entities.host.ref | | keyword | +| microsoft_defender_cloud.event.entities.host_ip_address.ref | | keyword | +| microsoft_defender_cloud.event.entities.host_name | | keyword | +| microsoft_defender_cloud.event.entities.id | | keyword | +| microsoft_defender_cloud.event.entities.image.ref | | keyword | +| microsoft_defender_cloud.event.entities.image_file.ref | | keyword | +| microsoft_defender_cloud.event.entities.image_id | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.address | | ip | +| microsoft_defender_cloud.event.entities.ip_addresses.asset | | boolean | +| microsoft_defender_cloud.event.entities.ip_addresses.id | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.location.asn | | long | +| microsoft_defender_cloud.event.entities.ip_addresses.location.city | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.location.country_code | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.location.country_name | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.location.latitude | | double | +| microsoft_defender_cloud.event.entities.ip_addresses.location.longitude | | double | +| microsoft_defender_cloud.event.entities.ip_addresses.location.state | | keyword | +| microsoft_defender_cloud.event.entities.ip_addresses.type | | keyword | +| microsoft_defender_cloud.event.entities.is_domain_joined | | boolean | +| microsoft_defender_cloud.event.entities.is_valid | | boolean | +| microsoft_defender_cloud.event.entities.location.asn | | long | +| microsoft_defender_cloud.event.entities.location.carrier | | keyword | +| microsoft_defender_cloud.event.entities.location.city | | keyword | +| microsoft_defender_cloud.event.entities.location.cloud_provider | | keyword | +| microsoft_defender_cloud.event.entities.location.country_code | | keyword | +| microsoft_defender_cloud.event.entities.location.country_name | | keyword | +| microsoft_defender_cloud.event.entities.location.latitude | | double | +| microsoft_defender_cloud.event.entities.location.longitude | | double | +| microsoft_defender_cloud.event.entities.location.organization | | keyword | +| microsoft_defender_cloud.event.entities.location.organization_type | | keyword | +| microsoft_defender_cloud.event.entities.location.state | | keyword | +| microsoft_defender_cloud.event.entities.location.system_service | | keyword | +| microsoft_defender_cloud.event.entities.location_type | | keyword | +| microsoft_defender_cloud.event.entities.location_value | | keyword | +| microsoft_defender_cloud.event.entities.logon_id | | keyword | +| microsoft_defender_cloud.event.entities.name | | keyword | +| microsoft_defender_cloud.event.entities.namespace.ref | | keyword | +| microsoft_defender_cloud.event.entities.net_bios_name | | keyword | +| microsoft_defender_cloud.event.entities.nt_domain | | keyword | +| microsoft_defender_cloud.event.entities.object_guid | | keyword | +| microsoft_defender_cloud.event.entities.oms_agent_id | | keyword | +| microsoft_defender_cloud.event.entities.os_family | | keyword | +| microsoft_defender_cloud.event.entities.os_version | | keyword | +| microsoft_defender_cloud.event.entities.parent_process.ref | | keyword | +| microsoft_defender_cloud.event.entities.pod.ref | | keyword | +| microsoft_defender_cloud.event.entities.process_id | | keyword | +| microsoft_defender_cloud.event.entities.project_id | | keyword | +| microsoft_defender_cloud.event.entities.protocol | | keyword | +| microsoft_defender_cloud.event.entities.related_azure_resource_ids | | keyword | +| microsoft_defender_cloud.event.entities.resource_id | | keyword | +| microsoft_defender_cloud.event.entities.resource_name | | keyword | +| microsoft_defender_cloud.event.entities.resource_type | | keyword | +| microsoft_defender_cloud.event.entities.session_id | | keyword | +| microsoft_defender_cloud.event.entities.sid | | keyword | +| microsoft_defender_cloud.event.entities.source_address.ref | | keyword | +| microsoft_defender_cloud.event.entities.start_time_utc | | date | +| microsoft_defender_cloud.event.entities.storage_resource.ref | | keyword | +| microsoft_defender_cloud.event.entities.threat_intelligence.confidence | | double | +| microsoft_defender_cloud.event.entities.threat_intelligence.description | | keyword | +| microsoft_defender_cloud.event.entities.threat_intelligence.name | | keyword | +| microsoft_defender_cloud.event.entities.threat_intelligence.provider_name | | keyword | +| microsoft_defender_cloud.event.entities.threat_intelligence.report_link | | keyword | +| microsoft_defender_cloud.event.entities.threat_intelligence.type | | keyword | +| microsoft_defender_cloud.event.entities.type | | keyword | +| microsoft_defender_cloud.event.entities.upn_suffix | | keyword | +| microsoft_defender_cloud.event.entities.url | | keyword | +| microsoft_defender_cloud.event.entities.value | | keyword | +| microsoft_defender_cloud.event.event_type | | keyword | +| microsoft_defender_cloud.event.extended_links.category | Links related to the alert | keyword | +| microsoft_defender_cloud.event.extended_links.href | | keyword | +| microsoft_defender_cloud.event.extended_links.label | | keyword | +| microsoft_defender_cloud.event.extended_links.type | | keyword | +| microsoft_defender_cloud.event.extended_properties | Custom properties for the alert. | flattened | +| microsoft_defender_cloud.event.id | Resource Id. | keyword | +| microsoft_defender_cloud.event.intent | The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. | keyword | +| microsoft_defender_cloud.event.is_incident | This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. | boolean | +| microsoft_defender_cloud.event.kind | | keyword | +| microsoft_defender_cloud.event.location | | keyword | +| microsoft_defender_cloud.event.name | Resource name. | keyword | +| microsoft_defender_cloud.event.processing_end_time | The UTC processing end time of the alert in ISO8601 format. | date | +| microsoft_defender_cloud.event.product.name | The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on). | keyword | +| microsoft_defender_cloud.event.properties.additional_data | | flattened | +| microsoft_defender_cloud.event.properties.assessment.definitions | | keyword | +| microsoft_defender_cloud.event.properties.assessment.details_link | | keyword | +| microsoft_defender_cloud.event.properties.assessment.type | | keyword | +| microsoft_defender_cloud.event.properties.category | | keyword | +| microsoft_defender_cloud.event.properties.definition.display_name | | keyword | +| microsoft_defender_cloud.event.properties.definition.id | | keyword | +| microsoft_defender_cloud.event.properties.definition.max_score | | long | +| microsoft_defender_cloud.event.properties.definition.name | | keyword | +| microsoft_defender_cloud.event.properties.definition.source_type | | keyword | +| microsoft_defender_cloud.event.properties.definition.type | | keyword | +| microsoft_defender_cloud.event.properties.description | | keyword | +| microsoft_defender_cloud.event.properties.display_name | | keyword | +| microsoft_defender_cloud.event.properties.environment | | keyword | +| microsoft_defender_cloud.event.properties.failed_resources | | long | +| microsoft_defender_cloud.event.properties.healthy_resource_count | | long | +| microsoft_defender_cloud.event.properties.id | | keyword | +| microsoft_defender_cloud.event.properties.impact | | keyword | +| microsoft_defender_cloud.event.properties.links.azure_portal | | keyword | +| microsoft_defender_cloud.event.properties.metadata.assessment_type | | keyword | +| microsoft_defender_cloud.event.properties.metadata.categories | | keyword | +| microsoft_defender_cloud.event.properties.metadata.description | | keyword | +| microsoft_defender_cloud.event.properties.metadata.display_name | | keyword | +| microsoft_defender_cloud.event.properties.metadata.implementation_effort | | keyword | +| microsoft_defender_cloud.event.properties.metadata.policy_definition_id | | keyword | +| microsoft_defender_cloud.event.properties.metadata.preview | | boolean | +| microsoft_defender_cloud.event.properties.metadata.remediation_description | | keyword | +| microsoft_defender_cloud.event.properties.metadata.severity | | keyword | +| microsoft_defender_cloud.event.properties.metadata.threats | | keyword | +| microsoft_defender_cloud.event.properties.metadata.user_impact | | keyword | +| microsoft_defender_cloud.event.properties.not_applicable_resource_count | | long | +| microsoft_defender_cloud.event.properties.passed_resources | | long | +| microsoft_defender_cloud.event.properties.remediation | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.id | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.machine_name | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.source | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.source_computer_id | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.type | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.vm_uuid | | keyword | +| microsoft_defender_cloud.event.properties.resource_details.workspace_id | | keyword | +| microsoft_defender_cloud.event.properties.score.current | | double | +| microsoft_defender_cloud.event.properties.score.max | | long | +| microsoft_defender_cloud.event.properties.score.percentage | | double | +| microsoft_defender_cloud.event.properties.skipped_resources | | long | +| microsoft_defender_cloud.event.properties.state | | keyword | +| microsoft_defender_cloud.event.properties.status.cause | | keyword | +| microsoft_defender_cloud.event.properties.status.code | | keyword | +| microsoft_defender_cloud.event.properties.status.description | | keyword | +| microsoft_defender_cloud.event.properties.status.first_evaluation_date | | date | +| microsoft_defender_cloud.event.properties.status.severity | | keyword | +| microsoft_defender_cloud.event.properties.status.status_change_date | | date | +| microsoft_defender_cloud.event.properties.status.type | | keyword | +| microsoft_defender_cloud.event.properties.time_generated | | date | +| microsoft_defender_cloud.event.properties.type | | keyword | +| microsoft_defender_cloud.event.properties.unhealthy_resource_count | | long | +| microsoft_defender_cloud.event.properties.weight | | long | +| microsoft_defender_cloud.event.provider_alert_status | | keyword | +| microsoft_defender_cloud.event.remediation_steps | Manual action items to take to remediate the alert. | keyword | +| microsoft_defender_cloud.event.resource_identifiers.aad_tenant_id | | keyword | +| microsoft_defender_cloud.event.resource_identifiers.agent_id | (optional) The LogAnalytics agent id reporting the event that this alert is based on. | keyword | +| microsoft_defender_cloud.event.resource_identifiers.azure_id | ARM resource identifier for the cloud resource being alerted on | keyword | +| microsoft_defender_cloud.event.resource_identifiers.azure_tenant_id | | keyword | +| microsoft_defender_cloud.event.resource_identifiers.id | The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. | keyword | +| microsoft_defender_cloud.event.resource_identifiers.type | There can be multiple identifiers of different type per alert, this field specify the identifier type. | keyword | +| microsoft_defender_cloud.event.resource_identifiers.workspace_id | The LogAnalytics workspace id that stores this alert. | keyword | +| microsoft_defender_cloud.event.resource_identifiers.workspace_resource_group | The azure resource group for the LogAnalytics workspace storing this alert | keyword | +| microsoft_defender_cloud.event.resource_identifiers.workspace_subscription_id | The azure subscription id for the LogAnalytics workspace storing this alert. | keyword | +| microsoft_defender_cloud.event.security_event_data_enrichment.action | | keyword | +| microsoft_defender_cloud.event.security_event_data_enrichment.api_version | | keyword | +| microsoft_defender_cloud.event.security_event_data_enrichment.interval | | keyword | +| microsoft_defender_cloud.event.security_event_data_enrichment.is_snapshot | | boolean | +| microsoft_defender_cloud.event.security_event_data_enrichment.type | | keyword | +| microsoft_defender_cloud.event.severity | The risk level of the threat that was detected. | keyword | +| microsoft_defender_cloud.event.start_time_utc | The UTC time of the first event or activity included in the alert in ISO8601 format. | date | +| microsoft_defender_cloud.event.status | The life cycle status of the alert. | keyword | +| microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.action | | keyword | +| microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.api_version | | keyword | +| microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.is_snapshot | | boolean | +| microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.type | | keyword | +| microsoft_defender_cloud.event.system.alert_id | Unique identifier for the alert. | keyword | +| microsoft_defender_cloud.event.tags | | keyword | +| microsoft_defender_cloud.event.tenant_id | | keyword | +| microsoft_defender_cloud.event.time_generated | The UTC time the alert was generated in ISO8601 format. | date | +| microsoft_defender_cloud.event.type | Resource type. | keyword | +| microsoft_defender_cloud.event.uri | A direct link to the alert page in Azure Portal. | keyword | +| microsoft_defender_cloud.event.vendor_name | The name of the vendor that raises the alert. | keyword | +| microsoft_defender_cloud.event.workspace.id | | keyword | +| microsoft_defender_cloud.event.workspace.resource_group | | keyword | +| microsoft_defender_cloud.event.workspace.subscription_id | | keyword | +| tags | User defined tags. | keyword | + diff --git a/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-dashboard-event.png b/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-dashboard-event.png new file mode 100644 index 00000000000..10d4a13eb6f Binary files /dev/null and b/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-dashboard-event.png differ diff --git a/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-logo.svg b/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-logo.svg new file mode 100644 index 00000000000..5334aa7ca68 --- /dev/null +++ b/packages/microsoft_defender_cloud/img/microsoft-defender-cloud-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/microsoft_defender_cloud/kibana/dashboard/microsoft_defender_cloud-97eaf040-0516-11ee-b4db-89b3a5f6df7f.json b/packages/microsoft_defender_cloud/kibana/dashboard/microsoft_defender_cloud-97eaf040-0516-11ee-b4db-89b3a5f6df7f.json new file mode 100644 index 00000000000..47477980c0f --- /dev/null +++ b/packages/microsoft_defender_cloud/kibana/dashboard/microsoft_defender_cloud-97eaf040-0516-11ee-b4db-89b3a5f6df7f.json @@ -0,0 +1,2005 @@ +{ + "attributes": { + "description": "Overview of Microsoft Defender Cloud Events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"microsoft_defender_cloud.event\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "acbbe59f-11b9-40ba-90ec-0f7556565d09": { + "columnOrder": [ + "7adeb506-87dc-4b89-82ce-0320f452671f" + ], + "columns": { + "7adeb506-87dc-4b89-82ce-0320f452671f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "microsoft_defender_cloud.event.properties.passed_resources: *" + }, + "isBucketed": false, + "label": "Passed Resources", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "microsoft_defender_cloud.event.properties.passed_resources" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7adeb506-87dc-4b89-82ce-0320f452671f", + "colorMode": "None", + "layerId": "acbbe59f-11b9-40ba-90ec-0f7556565d09", + "layerType": "data", + "textAlign": "center" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "8bd11cf0-efa0-4296-b8cf-03fe8fdce840", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "8bd11cf0-efa0-4296-b8cf-03fe8fdce840", + "title": "Passed Resources [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "acbbe59f-11b9-40ba-90ec-0f7556565d09": { + "columnOrder": [ + "7adeb506-87dc-4b89-82ce-0320f452671f" + ], + "columns": { + "7adeb506-87dc-4b89-82ce-0320f452671f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "microsoft_defender_cloud.event.properties.failed_resources: *" + }, + "isBucketed": false, + "label": "Failed Resources", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "microsoft_defender_cloud.event.properties.failed_resources" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7adeb506-87dc-4b89-82ce-0320f452671f", + "layerId": "acbbe59f-11b9-40ba-90ec-0f7556565d09", + "layerType": "data", + "textAlign": "center" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "8dff8fbb-f085-483c-a22c-4e1aec4bdf29", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "8dff8fbb-f085-483c-a22c-4e1aec4bdf29", + "title": "Failed Resources [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "acbbe59f-11b9-40ba-90ec-0f7556565d09": { + "columnOrder": [ + "7adeb506-87dc-4b89-82ce-0320f452671f" + ], + "columns": { + "7adeb506-87dc-4b89-82ce-0320f452671f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "microsoft_defender_cloud.event.properties.skipped_resources: *" + }, + "isBucketed": false, + "label": "Skipped Resources", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "microsoft_defender_cloud.event.properties.skipped_resources" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7adeb506-87dc-4b89-82ce-0320f452671f", + "layerId": "acbbe59f-11b9-40ba-90ec-0f7556565d09", + "layerType": "data", + "textAlign": "center" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "5b67d941-caa4-4016-add5-99976279202d", + "w": 8, + "x": 16, + "y": 0 + }, + "panelIndex": "5b67d941-caa4-4016-add5-99976279202d", + "title": "Skipped Resources [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "767980ff-c7da-4dd3-b12a-b64c62dad0ef": { + "columnOrder": [ + "1a3593c9-64c3-4861-bbf5-2feb708ce992" + ], + "columns": { + "1a3593c9-64c3-4861-bbf5-2feb708ce992": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "microsoft_defender_cloud.event.properties.healthy_resource_count: *" + }, + "isBucketed": false, + "label": "Healthy Resources", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "microsoft_defender_cloud.event.properties.healthy_resource_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "1a3593c9-64c3-4861-bbf5-2feb708ce992", + "layerId": "767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "layerType": "data", + "textAlign": "center" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "0c1348f8-981d-455d-acac-9b0f1e13b50f", + "w": 12, + "x": 24, + "y": 0 + }, + "panelIndex": "0c1348f8-981d-455d-acac-9b0f1e13b50f", + "title": "Healthy Resource Count [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "767980ff-c7da-4dd3-b12a-b64c62dad0ef": { + "columnOrder": [ + "1a3593c9-64c3-4861-bbf5-2feb708ce992" + ], + "columns": { + "1a3593c9-64c3-4861-bbf5-2feb708ce992": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "microsoft_defender_cloud.event.properties.unhealthy_resource_count: *" + }, + "isBucketed": false, + "label": "Unhealthy Resources", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "microsoft_defender_cloud.event.properties.unhealthy_resource_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "1a3593c9-64c3-4861-bbf5-2feb708ce992", + "layerId": "767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "layerType": "data", + "textAlign": "center" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "91017bba-cc83-4756-bd93-a3edfbfaaa59", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "91017bba-cc83-4756-bd93-a3edfbfaaa59", + "title": "Unhealthy Resource Count [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-115ac0b7-36c0-44d4-b881-b98e73571046", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "115ac0b7-36c0-44d4-b881-b98e73571046": { + "columnOrder": [ + "63c4742f-0aca-45d7-8e08-a64898b74291", + "0fb6bc78-09e8-44d3-85c2-de8055ed37bf", + "7c39093a-4123-4c20-976e-f243aac7fcb5" + ], + "columns": { + "0fb6bc78-09e8-44d3-85c2-de8055ed37bf": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7c39093a-4123-4c20-976e-f243aac7fcb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.threat_intelligence.type" + }, + "63c4742f-0aca-45d7-8e08-a64898b74291": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7c39093a-4123-4c20-976e-f243aac7fcb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.threat_intelligence.name" + }, + "7c39093a-4123-4c20-976e-f243aac7fcb5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "63c4742f-0aca-45d7-8e08-a64898b74291", + "0fb6bc78-09e8-44d3-85c2-de8055ed37bf" + ], + "layerId": "115ac0b7-36c0-44d4-b881-b98e73571046", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "large", + "metric": "7c39093a-4123-4c20-976e-f243aac7fcb5", + "nestedLegend": true, + "numberDisplay": "percent", + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ae1a1587-0e24-4b0d-85de-a91ab806e55f", + "w": 24, + "x": 0, + "y": 7 + }, + "panelIndex": "ae1a1587-0e24-4b0d-85de-a91ab806e55f", + "title": "Distribution of Events by Threat Name and Type [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-52cf6d7c-f870-4eab-b642-671d1a969cc9", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "52cf6d7c-f870-4eab-b642-671d1a969cc9": { + "columnOrder": [ + "97e2dbf5-4aa7-4e47-95a6-96d573a543ab", + "2b1fd69e-7f35-4e75-939e-3130448c4865" + ], + "columns": { + "2b1fd69e-7f35-4e75-939e-3130448c4865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "97e2dbf5-4aa7-4e47-95a6-96d573a543ab": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2b1fd69e-7f35-4e75-939e-3130448c4865", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.alert_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "97e2dbf5-4aa7-4e47-95a6-96d573a543ab", + "isTransposed": false + }, + { + "colorMode": "none", + "columnId": "2b1fd69e-7f35-4e75-939e-3130448c4865", + "isTransposed": false + } + ], + "layerId": "52cf6d7c-f870-4eab-b642-671d1a969cc9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cfad8b8b-d456-4252-8230-cb4db37bbee2", + "w": 24, + "x": 24, + "y": 7 + }, + "panelIndex": "cfad8b8b-d456-4252-8230-cb4db37bbee2", + "title": "Top 10 Alert Type [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8c175422-6b74-44f9-9318-2c6906c6fe82", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8c175422-6b74-44f9-9318-2c6906c6fe82": { + "columnOrder": [ + "9408cbb9-0cbe-430d-8e9d-c19c61a4b9a4", + "c371bfd2-6ebb-4cbd-a356-e1941371b799" + ], + "columns": { + "9408cbb9-0cbe-430d-8e9d-c19c61a4b9a4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c371bfd2-6ebb-4cbd-a356-e1941371b799", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.category" + }, + "c371bfd2-6ebb-4cbd-a356-e1941371b799": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c371bfd2-6ebb-4cbd-a356-e1941371b799" + ], + "layerId": "8c175422-6b74-44f9-9318-2c6906c6fe82", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "9408cbb9-0cbe-430d-8e9d-c19c61a4b9a4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "981628c3-c2c5-4ce2-b7f9-8474fc3e94d3", + "w": 24, + "x": 0, + "y": 22 + }, + "panelIndex": "981628c3-c2c5-4ce2-b7f9-8474fc3e94d3", + "title": "Distribution of Events by Category [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-748dc0f9-863f-4bb7-87c4-106cf9be896b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "748dc0f9-863f-4bb7-87c4-106cf9be896b": { + "columnOrder": [ + "42554a67-cb89-42aa-9339-f644d22b96f9", + "31f22afe-2376-4ee5-85a5-0b6e0a00f150" + ], + "columns": { + "31f22afe-2376-4ee5-85a5-0b6e0a00f150": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "42554a67-cb89-42aa-9339-f644d22b96f9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "31f22afe-2376-4ee5-85a5-0b6e0a00f150", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "42554a67-cb89-42aa-9339-f644d22b96f9" + ], + "layerId": "748dc0f9-863f-4bb7-87c4-106cf9be896b", + "layerType": "data", + "legendDisplay": "show", + "metric": "31f22afe-2376-4ee5-85a5-0b6e0a00f150", + "nestedLegend": false, + "numberDisplay": "percent", + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "12b6a8a5-a457-4156-a1de-ef47668af576", + "w": 24, + "x": 24, + "y": 22 + }, + "panelIndex": "12b6a8a5-a457-4156-a1de-ef47668af576", + "title": "Distribution of Events by Severity [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-64ce693c-c126-4e57-aeb8-34710815b8e7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "64ce693c-c126-4e57-aeb8-34710815b8e7": { + "columnOrder": [ + "79e40746-bf8c-4f0c-ba1f-a027ad1a68c8", + "bedf709d-d1a3-4629-be8d-189158591406" + ], + "columns": { + "79e40746-bf8c-4f0c-ba1f-a027ad1a68c8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Family", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "bedf709d-d1a3-4629-be8d-189158591406", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.family" + }, + "bedf709d-d1a3-4629-be8d-189158591406": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "79e40746-bf8c-4f0c-ba1f-a027ad1a68c8" + ], + "layerId": "64ce693c-c126-4e57-aeb8-34710815b8e7", + "layerType": "data", + "legendDisplay": "show", + "metric": "bedf709d-d1a3-4629-be8d-189158591406", + "nestedLegend": false, + "numberDisplay": "percent", + "truncateLegend": true + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e72b1c88-a609-4372-8ec6-00e715a8eed5", + "w": 24, + "x": 0, + "y": 37 + }, + "panelIndex": "e72b1c88-a609-4372-8ec6-00e715a8eed5", + "title": "Distribution of Events by OS Family [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-92693e73-87d6-49dd-808e-16f8f37e30f3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "92693e73-87d6-49dd-808e-16f8f37e30f3": { + "columnOrder": [ + "04ae3adb-7c91-4a15-a19d-a32bddcb7b07", + "4e7f148b-38a1-4ff5-ab4e-0a64e2ad6c43" + ], + "columns": { + "04ae3adb-7c91-4a15-a19d-a32bddcb7b07": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Provider", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4e7f148b-38a1-4ff5-ab4e-0a64e2ad6c43", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.provider" + }, + "4e7f148b-38a1-4ff5-ab4e-0a64e2ad6c43": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "04ae3adb-7c91-4a15-a19d-a32bddcb7b07", + "isTransposed": false + }, + { + "columnId": "4e7f148b-38a1-4ff5-ab4e-0a64e2ad6c43", + "isTransposed": false + } + ], + "layerId": "92693e73-87d6-49dd-808e-16f8f37e30f3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a02873e2-2ef3-43e8-a34d-0112ecadd2c6", + "w": 24, + "x": 24, + "y": 37 + }, + "panelIndex": "a02873e2-2ef3-43e8-a34d-0112ecadd2c6", + "title": "Top 10 Cloud Provider Name [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-64e5452a-1001-488b-9b21-71c06fe5ded7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "64e5452a-1001-488b-9b21-71c06fe5ded7": { + "columnOrder": [ + "cdcce11e-1083-41f2-b474-d61cb30f784b", + "3366b7a9-ad73-4cb9-ab59-152bc67a22de" + ], + "columns": { + "3366b7a9-ad73-4cb9-ab59-152bc67a22de": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "cdcce11e-1083-41f2-b474-d61cb30f784b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Compromised Entity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3366b7a9-ad73-4cb9-ab59-152bc67a22de", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.compromised_entity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "cdcce11e-1083-41f2-b474-d61cb30f784b", + "isTransposed": false + }, + { + "columnId": "3366b7a9-ad73-4cb9-ab59-152bc67a22de", + "isTransposed": false + } + ], + "layerId": "64e5452a-1001-488b-9b21-71c06fe5ded7", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c6faa37e-a2ea-4d83-a3cd-850e3d6652b7", + "w": 24, + "x": 0, + "y": 52 + }, + "panelIndex": "c6faa37e-a2ea-4d83-a3cd-850e3d6652b7", + "title": "Top 10 Compromised Entities [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-59399110-9e41-48e8-a9fa-14cf4e0a2504", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "59399110-9e41-48e8-a9fa-14cf4e0a2504": { + "columnOrder": [ + "e051a0bb-7fd0-4424-b516-c2a1cbff50b9", + "f342ac9a-9882-4a98-ada1-c898f2ee5aa7" + ], + "columns": { + "e051a0bb-7fd0-4424-b516-c2a1cbff50b9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Resource Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f342ac9a-9882-4a98-ada1-c898f2ee5aa7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.resource_type" + }, + "f342ac9a-9882-4a98-ada1-c898f2ee5aa7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "f342ac9a-9882-4a98-ada1-c898f2ee5aa7" + ], + "layerId": "59399110-9e41-48e8-a9fa-14cf4e0a2504", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "e051a0bb-7fd0-4424-b516-c2a1cbff50b9" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "43ece979-eb73-48a8-a6c7-51d3cc46bedc", + "w": 24, + "x": 24, + "y": 52 + }, + "panelIndex": "43ece979-eb73-48a8-a6c7-51d3cc46bedc", + "title": "Distribution of Events by Resource Type [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1e977a02-c588-4498-94a2-081c6e87d503", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1e977a02-c588-4498-94a2-081c6e87d503": { + "columnOrder": [ + "0facc319-22b5-44b2-9713-24f56cb17f22", + "e1ac3a1d-7170-4f82-8949-0de76de177a3" + ], + "columns": { + "0facc319-22b5-44b2-9713-24f56cb17f22": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "State", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e1ac3a1d-7170-4f82-8949-0de76de177a3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.properties.state" + }, + "e1ac3a1d-7170-4f82-8949-0de76de177a3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "0facc319-22b5-44b2-9713-24f56cb17f22" + ], + "layerId": "1e977a02-c588-4498-94a2-081c6e87d503", + "layerType": "data", + "legendDisplay": "show", + "metric": "e1ac3a1d-7170-4f82-8949-0de76de177a3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2a17bba0-7b32-474f-bf33-9157f1a4dd1c", + "w": 24, + "x": 0, + "y": 67 + }, + "panelIndex": "2a17bba0-7b32-474f-bf33-9157f1a4dd1c", + "title": "Distribution of Events by State [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6c69ad0c-5de5-4a87-9913-dd5be8841d19", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6c69ad0c-5de5-4a87-9913-dd5be8841d19": { + "columnOrder": [ + "28dae11b-ef49-47db-937b-eb9b59522bda", + "ecc7e57a-3164-4eef-86b6-9c964c23963f" + ], + "columns": { + "28dae11b-ef49-47db-937b-eb9b59522bda": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Security Data Enrichment Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ecc7e57a-3164-4eef-86b6-9c964c23963f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.security_event_data_enrichment.action" + }, + "ecc7e57a-3164-4eef-86b6-9c964c23963f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "28dae11b-ef49-47db-937b-eb9b59522bda" + ], + "layerId": "6c69ad0c-5de5-4a87-9913-dd5be8841d19", + "layerType": "data", + "legendDisplay": "show", + "metric": "ecc7e57a-3164-4eef-86b6-9c964c23963f", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "93b3492c-c314-4138-be92-f6d097d5242f", + "w": 24, + "x": 24, + "y": 67 + }, + "panelIndex": "93b3492c-c314-4138-be92-f6d097d5242f", + "title": "Distribution of Events by Security Data Enrichment Action [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-15a42d10-fc12-41a4-aefe-7647e6611f55", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "15a42d10-fc12-41a4-aefe-7647e6611f55": { + "columnOrder": [ + "0f9ac824-5ded-4998-b05f-ec88bcae5982", + "43cf4171-2174-4813-beff-148b2b4fe54c", + "b08b43d6-f15b-4ec1-b93e-f5619eeec8b1" + ], + "columns": { + "0f9ac824-5ded-4998-b05f-ec88bcae5982": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Organization", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b08b43d6-f15b-4ec1-b93e-f5619eeec8b1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.location.organization" + }, + "43cf4171-2174-4813-beff-148b2b4fe54c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Organization Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b08b43d6-f15b-4ec1-b93e-f5619eeec8b1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.entities.location.organization_type" + }, + "b08b43d6-f15b-4ec1-b93e-f5619eeec8b1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b08b43d6-f15b-4ec1-b93e-f5619eeec8b1" + ], + "layerId": "15a42d10-fc12-41a4-aefe-7647e6611f55", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "splitAccessor": "43cf4171-2174-4813-beff-148b2b4fe54c", + "xAccessor": "0f9ac824-5ded-4998-b05f-ec88bcae5982" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "a70f2bbc-8f08-4751-b949-2a9762c914b0", + "w": 48, + "x": 0, + "y": 82 + }, + "panelIndex": "a70f2bbc-8f08-4751-b949-2a9762c914b0", + "title": "Distribution of Events by Organization and Type [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2d8047f1-c79f-43d6-bae5-ff6a10ebe4f7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2d8047f1-c79f-43d6-bae5-ff6a10ebe4f7": { + "columnOrder": [ + "6d0f65c3-75fc-4d09-b54e-a0aa054a908e", + "f4906f07-af9d-4156-bc81-de6c4edbf813" + ], + "columns": { + "6d0f65c3-75fc-4d09-b54e-a0aa054a908e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f4906f07-af9d-4156-bc81-de6c4edbf813", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.status" + }, + "f4906f07-af9d-4156-bc81-de6c4edbf813": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "6d0f65c3-75fc-4d09-b54e-a0aa054a908e" + ], + "layerId": "2d8047f1-c79f-43d6-bae5-ff6a10ebe4f7", + "layerType": "data", + "legendDisplay": "show", + "metric": "f4906f07-af9d-4156-bc81-de6c4edbf813", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cee6ff95-1946-43f7-b962-b4f4dd6ddf41", + "w": 24, + "x": 0, + "y": 98 + }, + "panelIndex": "cee6ff95-1946-43f7-b962-b4f4dd6ddf41", + "title": "Distribution of Events by Status [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-21e69043-a1c5-49c0-bf9e-f7c0be8bd4f8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "21e69043-a1c5-49c0-bf9e-f7c0be8bd4f8": { + "columnOrder": [ + "5ebe994d-d4e2-468c-9437-c3adae9922cc", + "ad0ecbf8-d9c0-41ca-8b56-18f27a8323dc" + ], + "columns": { + "5ebe994d-d4e2-468c-9437-c3adae9922cc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Assessment Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ad0ecbf8-d9c0-41ca-8b56-18f27a8323dc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_cloud.event.properties.assessment.type" + }, + "ad0ecbf8-d9c0-41ca-8b56-18f27a8323dc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "ad0ecbf8-d9c0-41ca-8b56-18f27a8323dc" + ], + "layerId": "21e69043-a1c5-49c0-bf9e-f7c0be8bd4f8", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "5ebe994d-d4e2-468c-9437-c3adae9922cc" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "854789c8-cac6-4f03-bb4c-be8ce9a0eb7e", + "w": 24, + "x": 24, + "y": 98 + }, + "panelIndex": "854789c8-cac6-4f03-bb4c-be8ce9a0eb7e", + "title": "Distribution of Events by Assessment Type [Logs Microsoft Defender Cloud]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4da4352e-7c40-4b15-a4f1-49d5ae065248", + "w": 48, + "x": 0, + "y": 113 + }, + "panelIndex": "4da4352e-7c40-4b15-a4f1-49d5ae065248", + "panelRefName": "panel_4da4352e-7c40-4b15-a4f1-49d5ae065248", + "type": "search", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"locale\":\"autoselect\",\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"fc3fc92a-72c1-40de-ae7d-f71bb4c04770\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"9888bf0b-d28b-43a3-9a28-026abd45a4ab\",\"indexPatternTitle\":\"logs-*\",\"term\":\"host.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"iso2\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__9888bf0b-d28b-43a3-9a28-026abd45a4ab\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__9888bf0b-d28b-43a3-9a28-026abd45a4ab\",\"origin\":\"join\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"802c791c-c543-48a2-ace4-99faa8dd1684\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"includeInFitToBounds\":true,\"type\":\"GEOJSON_VECTOR\"}]", + "mapStateJSON": "{\"zoom\":0.67,\"center\":{\"lon\":-13.60336,\"lat\":12.45534},\"timeFilters\":{\"from\":\"now-1M\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 135, + "minLat": -40.9799, + "minLon": -180 + }, + "mapCenter": { + "lat": 37.79971, + "lon": 1.5841, + "zoom": 2.07 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 17, + "i": "4698ec9b-ee37-4d0b-9070-7fd70bf9adfd", + "w": 48, + "x": 0, + "y": 128 + }, + "panelIndex": "4698ec9b-ee37-4d0b-9070-7fd70bf9adfd", + "title": "Distribution of Events by Country [Logs Microsoft Defender Cloud]", + "type": "map", + "version": "8.3.0" + } + ], + "timeRestore": false, + "title": "[Logs Microsoft Defender Cloud] Event", + "version": 1 + }, + "coreMigrationVersion": "8.3.0", + "id": "microsoft_defender_cloud-97eaf040-0516-11ee-b4db-89b3a5f6df7f", + "migrationVersion": { + "dashboard": "8.3.0" + }, + "references": [ + { + "id": "logs-*", + "name": "8bd11cf0-efa0-4296-b8cf-03fe8fdce840:indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8dff8fbb-f085-483c-a22c-4e1aec4bdf29:indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5b67d941-caa4-4016-add5-99976279202d:indexpattern-datasource-layer-acbbe59f-11b9-40ba-90ec-0f7556565d09", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0c1348f8-981d-455d-acac-9b0f1e13b50f:indexpattern-datasource-layer-767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "91017bba-cc83-4756-bd93-a3edfbfaaa59:indexpattern-datasource-layer-767980ff-c7da-4dd3-b12a-b64c62dad0ef", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae1a1587-0e24-4b0d-85de-a91ab806e55f:indexpattern-datasource-layer-115ac0b7-36c0-44d4-b881-b98e73571046", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfad8b8b-d456-4252-8230-cb4db37bbee2:indexpattern-datasource-layer-52cf6d7c-f870-4eab-b642-671d1a969cc9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "981628c3-c2c5-4ce2-b7f9-8474fc3e94d3:indexpattern-datasource-layer-8c175422-6b74-44f9-9318-2c6906c6fe82", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12b6a8a5-a457-4156-a1de-ef47668af576:indexpattern-datasource-layer-748dc0f9-863f-4bb7-87c4-106cf9be896b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e72b1c88-a609-4372-8ec6-00e715a8eed5:indexpattern-datasource-layer-64ce693c-c126-4e57-aeb8-34710815b8e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02873e2-2ef3-43e8-a34d-0112ecadd2c6:indexpattern-datasource-layer-92693e73-87d6-49dd-808e-16f8f37e30f3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6faa37e-a2ea-4d83-a3cd-850e3d6652b7:indexpattern-datasource-layer-64e5452a-1001-488b-9b21-71c06fe5ded7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43ece979-eb73-48a8-a6c7-51d3cc46bedc:indexpattern-datasource-layer-59399110-9e41-48e8-a9fa-14cf4e0a2504", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2a17bba0-7b32-474f-bf33-9157f1a4dd1c:indexpattern-datasource-layer-1e977a02-c588-4498-94a2-081c6e87d503", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93b3492c-c314-4138-be92-f6d097d5242f:indexpattern-datasource-layer-6c69ad0c-5de5-4a87-9913-dd5be8841d19", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a70f2bbc-8f08-4751-b949-2a9762c914b0:indexpattern-datasource-layer-15a42d10-fc12-41a4-aefe-7647e6611f55", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cee6ff95-1946-43f7-b962-b4f4dd6ddf41:indexpattern-datasource-layer-2d8047f1-c79f-43d6-bae5-ff6a10ebe4f7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "854789c8-cac6-4f03-bb4c-be8ce9a0eb7e:indexpattern-datasource-layer-21e69043-a1c5-49c0-bf9e-f7c0be8bd4f8", + "type": "index-pattern" + }, + { + "id": "microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508", + "name": "4da4352e-7c40-4b15-a4f1-49d5ae065248:panel_4da4352e-7c40-4b15-a4f1-49d5ae065248", + "type": "search" + }, + { + "id": "logs-*", + "name": "4698ec9b-ee37-4d0b-9070-7fd70bf9adfd:layer_1_join_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/microsoft_defender_cloud/kibana/search/microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508.json b/packages/microsoft_defender_cloud/kibana/search/microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508.json new file mode 100644 index 00000000000..f9ec4d8fe0e --- /dev/null +++ b/packages/microsoft_defender_cloud/kibana/search/microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "microsoft_defender_cloud.event.alert_type", + "microsoft_defender_cloud.event.system.alert_id", + "microsoft_defender_cloud.event.display_name", + "microsoft_defender_cloud.event.description" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"microsoft_defender_cloud.event\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Event Essential Details [Logs Microsoft Defender Cloud]" + }, + "coreMigrationVersion": "8.3.0", + "id": "microsoft_defender_cloud-52f0f2f0-039f-11ee-bafb-95960de71508", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/microsoft_defender_cloud/manifest.yml b/packages/microsoft_defender_cloud/manifest.yml new file mode 100644 index 00000000000..c9daf31e86e --- /dev/null +++ b/packages/microsoft_defender_cloud/manifest.yml @@ -0,0 +1,31 @@ +format_version: 2.8.0 +name: microsoft_defender_cloud +title: Microsoft Defender for Cloud +version: 0.1.0 +description: Collect logs from Microsoft Defender for Cloud with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana.version: ^8.3.0 + elastic.subscription: basic +screenshots: + - src: /img/microsoft-defender-cloud-dashboard-event.png + title: Microsoft Defender for Cloud Event Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/microsoft-defender-cloud-logo.svg + title: Microsoft Defender for Cloud logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: microsoft_defender_cloud + title: Microsoft Defender for Cloud Logs + description: Collect logs from Microsoft Defender for Cloud. + inputs: + - type: azure-eventhub + title: Collect logs from Azure Event Hub + description: Collect logs from Azure Event Hub. +owner: + github: elastic/security-external-integrations