Microsoft module

edit

This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets:

  • defender_atp fileset: Supports Microsoft Defender ATP
  • dhcp fileset: Supports Microsoft DHCP logs

When you run the module, it performs a few tasks under the hood:

  • Sets the default paths to the log files (but don’t worry, you can override the defaults)
  • Makes sure each multiline log event gets sent as a single event
  • Uses ingest node to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
  • Deploys dashboards for visualizing the log data

Read the quick start to learn how to configure and run modules.

Configure the module

edit

You can further refine the behavior of the microsoft module by specifying variable settings in the modules.d/microsoft.yml file, or overriding settings at the command line.

Variable settings

edit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the microsoft module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, microsoft.defender_atp.var.paths instead of defender_atp.var.paths.

defender_atp fileset settings

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

  • Client ID
  • Client Secret
  • Tenant ID

Example config:

- module: microsoft
  defender_atp:
    enabled: true
    var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
    var.oauth2.client.secret: "980453~-Sg99gedf"
    var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
var.oauth2.client.id
This is the client ID related to creating a new application on Azure.
var.oauth2.client.secret
The secret related to the client ID.
var.oauth2.token_url
A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.

Defender ATP ECS fields

edit

This is a list of Defender ATP fields that are mapped to ECS.

Defender ATP Fields ECS Fields

alertCreationTime

@timestamp

aadTenantId

cloud.account.id

category

threat.technique.name

computerDnsName

host.hostname

description

rule.description

detectionSource

observer.name

evidence.fileName

file.name

evidence.filePath

file.path

evidence.processId

process.pid

evidence.processCommandLine

process.command_line

evidence.processCreationTime

process.start

evidence.parentProcessId

process.parent.pid

evidence.parentProcessCreationTime

process.parent.start

evidence.sha1

file.hash.sha1

evidence.sha256

file.hash.sha256

evidence.url

url.full

firstEventTime

event.start

id

event.id

lastEventTime

event.end

machineId

cloud.instance.id

relatedUser.userName

host.user.name

relatedUser.domainName

host.user.domain

title

message

severity

event.severity

Dashboards

edit

This module comes with a sample dashboard for Defender ATP.

filebeat defender atp overview

The best way to view Defender ATP events and alert data is in the SIEM.

siem alerts cs

For alerts, go to Detections → External alerts.

siem events cs

And for all other Defender ATP event types, go to Host → Events.

dhcp fileset settings

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.

var.paths
An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
var.input
The input from which messages are read. One of file, tcp or udp.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9515

Ports below 1024 require Filebeat to run as root.

var.tz_offset
By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
var.rsa_fields
Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be are added.
var.keep_raw_fields
Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.

Fields

edit

For a description of each field in the module, see the exported fields section.