Skip to content

Commit 96474bb

Browse files
sharadcrestanupratharamachandran
sharadcrest
authored and
anupratharamachandran
committed
[M365 Defender][Microsoft Defender Endpoint] Add support of vulnerability data-stream (elastic#13595)
This release introduces the vulnerability data stream, along with its associated dashboard and visualizations. Vulnerability fields are mapped to their corresponding ECS fields where possible. Test samples were derived from live data samples, which were subsequently sanitized.
1 parent 771e08b commit 96474bb

File tree

67 files changed

+11396
-415
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

67 files changed

+11396
-415
lines changed

packages/m365_defender/_dev/build/docs/README.md

Lines changed: 83 additions & 43 deletions
Large diffs are not rendered by default.

packages/m365_defender/_dev/deploy/docker/docker-compose.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,3 +26,16 @@ services:
2626
- --exit-on-unmatched-rule
2727
- --addr=:8080
2828
- --config=/config.yml
29+
m365-defender-vulnerability-cel:
30+
image: docker.elastic.co/observability/stream:v0.15.0
31+
ports:
32+
- 8080
33+
volumes:
34+
- ./vulnerability-http-mock-config.yml:/config.yml
35+
environment:
36+
PORT: 8080
37+
command:
38+
- http-server
39+
- --exit-on-unmatched-rule
40+
- --addr=:8080
41+
- --config=/config.yml

packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml

Lines changed: 465 additions & 0 deletions
Large diffs are not rendered by default.

packages/m365_defender/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "3.8.0"
3+
changes:
4+
- description: Add vulnerability data stream.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/13595
27
- version: "3.7.0"
38
changes:
49
- description: Set `device.id` in all datasets and `application.name` in event dataset.

packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
fields:
2+
tags:
3+
- preserve_duplicate_custom_fields
4+
dynamic_fields:
5+
"event.id": ".*"

packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154}
2+
{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"}
3+
{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029}
4+
{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}

0 commit comments

Comments
 (0)