diff --git a/packages/m365_defender/_dev/build/docs/README.md b/packages/m365_defender/_dev/build/docs/README.md index d902a5be226..897d565931f 100644 --- a/packages/m365_defender/_dev/build/docs/README.md +++ b/packages/m365_defender/_dev/build/docs/README.md @@ -2,20 +2,15 @@ ## Overview -The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. +The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API), Event (Streaming API) Logs, and Vulnerability (Microsoft Defender for Endpoint API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. -Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, and the Microsoft Graph Security v1.0 REST API. Then visualise that data in Kibana. +Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, Microsoft Graph Security v1.0 REST API, and the Micrsoft Defender Endpoint API. Then visualise that data in Kibana. -For example, you could use the data from this integration to consolidate and correlate security alerts from multiple sources. Also, by looking into the alert and incident, a user can take an appropriate action in the Microsoft 365 Defender Portal. - -## Agentless Enabled Integration -Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). - -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. +For example, you could use the data from this integration to consolidate and correlate security alerts from multiple sources. Also, by looking into the alert, incident, and vulnerability a user can take an appropriate action in the Microsoft 365 Defender Portal. ## Data streams -The Microsoft 365 Defender integration collects logs for three types of events: Alert, Event, and Incident. +The Microsoft 365 Defender integration collects logs for four types of events: Alert, Event, Incident, and Vulnerability. **Alert:** This data streams leverages the [Microsoft Graph Security API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) to collect alerts including suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. @@ -23,53 +18,88 @@ The Microsoft 365 Defender integration collects logs for three types of events: **Incidents and Alerts (Recommended):** This data streams leverages the [Microsoft Graph Security API](https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0) to ingest a collection of correlated alert instances and associated metadata that reflects the story of an attack in M365D. Incidents stemming from Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention are supported by this integration. +**Vulnerability:** This data stream uses the [Microsoft Defender for Endpoint API](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) to gather vulnerability details by fetching data from three different endpoints — [vulnerabilities](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities), [machines](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines), and [software/products](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities-by-machines). The collected data is then correlated and mapped to generate a single, enriched log per vulnerability, providing a clear view of risks across machines and installed software in your environment. + ## Requirements You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. -This module has used **Microsoft Azure Event Hub** for Streaming Event, and **Microsoft Graph Security v1.0 REST API** for Incident data stream. +This module has used **Microsoft Azure Event Hub** for Streaming Event, **Microsoft Graph Security v1.0 REST API** for Incident data stream and **Microsoft Defender for Endpoint API** for Vulnerability data stream. For **Event**, using filebeat's [Azure Event Hub](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-eventhub.html) input, state such as leases on partitions and checkpoints in the event stream are shared between receivers using an Azure Storage container. For this reason, as a prerequisite to using this input, users will have to create or use an existing storage account. -## Compatibility +### Agentless enabled integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. -- Supported Microsoft 365 Defender streaming event types have been supported in the current integration version: - - | Resource types | Description | - |---------------------------|---------------------------| - | AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts. | - | AlertInfo | Alerts from M365 Defender XDR services, including severity and threat categorization. | - | DeviceEvents | Event types, including events triggered by security controls. | - | DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints. | - | DeviceFileEvents | File creation, modification, and other file system events. | - | DeviceImageLoadEvents | DLL loading events. | - | DeviceInfo | Machine information, including OS information. | - | DeviceLogonEvents | Sign-ins and other authentication events on devices. | - | DeviceNetworkEvents | Network connection and related events. | - | DeviceNetworkInfo | Network properties of devices, as well as connected networks and domains. | - | DeviceProcessEvents | Process creation and related events. | - | DeviceRegistryEvents | Creation and modification of registry entries. | - | EmailAttachmentInfo | Information about files attached to emails. | - | EmailEvents | Microsoft 365 email events, including email delivery and blocking events. | - | EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox. | - | EmailUrlInfo | Information about URLs in emails. | - | IdentityInfo | Account information from various sources, including Microsoft Entra ID. | - | IdentityLogonEvents | Authentication events on Active Directory and Microsoft online services. | - | IdentityQueryEvents | Queries for Active Directory objects, such as users, groups, devices, and domains. | - | IdentityDirectoryEvents | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. | - | CloudAppEvents | Events involving accounts and objects in Office 365 and other cloud apps and services. | - | UrlClickEvent | Safe Links clicks from email messages, Teams, and Office 365 apps. | +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +## Compatibility +### This integration supports below API versions to collect data. + - [Microsoft Graph Security v1.0 REST API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) + - [M365 Defender Streaming API](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide) + Supported Microsoft 365 Defender streaming event types: + | Resource types | Description | + |---------------------------|---------------------------| + | AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts. | + | AlertInfo | Alerts from M365 Defender XDR services, including severity and threat categorization. | + | DeviceEvents | Event types, including events triggered by security controls. | + | DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints. | + | DeviceFileEvents | File creation, modification, and other file system events. | + | DeviceImageLoadEvents | DLL loading events. | + | DeviceInfo | Machine information, including OS information. | + | DeviceLogonEvents | Sign-ins and other authentication events on devices. | + | DeviceNetworkEvents | Network connection and related events. | + | DeviceNetworkInfo | Network properties of devices, as well as connected networks and domains. | + | DeviceProcessEvents | Process creation and related events. | + | DeviceRegistryEvents | Creation and modification of registry entries. | + | EmailAttachmentInfo | Information about files attached to emails. | + | EmailEvents | Microsoft 365 email events, including email delivery and blocking events. | + | EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox. | + | EmailUrlInfo | Information about URLs in emails. | + | IdentityInfo | Account information from various sources, including Microsoft Entra ID. | + | IdentityLogonEvents | Authentication events on Active Directory and Microsoft online services. | + | IdentityQueryEvents | Queries for Active Directory objects, such as users, groups, devices, and domains. | + | IdentityDirectoryEvents | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. | + | CloudAppEvents | Events involving accounts and objects in Office 365 and other cloud apps and services. | + | UrlClickEvent | Safe Links clicks from email messages, Teams, and Office 365 apps. | + - [Microsoft Defender for Endpoint API](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) + - [Vulnerabilities API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities) (Last updated On 04/25/2024) + - [Machines API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines) (Last updated On 03/01/2025) + - [software/products API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities-by-machines) (Last updated On 04/25/2024) ## Setup -### To collect data from Microsoft Azure Event Hub, follow the below steps: -1. [Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide). +### Follow the steps below to configure data collection from Microsoft sources: + +### 1. Collecting Data from Microsoft Azure Event Hub +- [Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide). + +### 2. Collecting Data from Microsoft Graph Security v1.0 REST API (for Incidents & Alerts) +- [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). +- Assign the required permission: **SecurityIncident.Read.All**. See more details [here](https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0). +- Once the application is registered, note the following values for use during configuration: + - Client ID + - Client Secret + - Tenant ID -### To collect data from Microsoft Graph Security v1.0 REST API, follow the below steps: +### 3. Collecting Data from Microsoft Defender for Endpoint API (for Vulnerabilities) +- [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). +- Assign the required permissions: + - **Vulnerability.Read.All** See more details [here](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities#permissions). + - **Machine.Read.All** See more details [here](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines#permissions). +- After registration, retrieve the following credentials needed for configuration: + - Client ID + - Client Secret + - Tenant ID -1. [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). -2. Permission required for accessing Incident API would be **SecurityIncident.Read.All**. See more details [here](https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0) -3. After the application has been created, it will generate Client ID, Client Secret and Tenant ID values that are required for alert and incident data collection. +### Data Retention and ILM Configuration +A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we’ve set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control. + +> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index` ## Alert severity mapping @@ -111,3 +141,13 @@ This is the `incident` dataset. {{event "incident"}} {{fields "incident"}} + +### vulnerability + +This is the `vulnerability` dataset. + +#### Example + +{{event "vulnerability"}} + +{{fields "vulnerability"}} diff --git a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml index 744129c9790..154bfd32fc3 100644 --- a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml +++ b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml @@ -26,3 +26,16 @@ services: - --exit-on-unmatched-rule - --addr=:8080 - --config=/config.yml + m365-defender-vulnerability-cel: + image: docker.elastic.co/observability/stream:v0.15.0 + ports: + - 8080 + volumes: + - ./vulnerability-http-mock-config.yml:/config.yml + environment: + PORT: 8080 + command: + - http-server + - --exit-on-unmatched-rule + - --addr=:8080 + - --config=/config.yml \ No newline at end of file diff --git a/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml b/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml new file mode 100644 index 00000000000..8b12306ff7c --- /dev/null +++ b/packages/m365_defender/_dev/deploy/docker/vulnerability-http-mock-config.yml @@ -0,0 +1,465 @@ +rules: + - path: /tenant_id/oauth2/v2.0/token + methods: [POST] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxx"} + - path: /api/vulnerabilities/machinesVulnerabilities + methods: ['GET'] + query_params: + $top: 10000 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", + "@odata.count": 5, + "value": [ + { + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "cveId": "CVE-2025-3074", + "machineId": "94819846155826828d1603b913c67fe336d81295", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "134.0.3124.72", + "severity": "Medium" + }, + { + "id": "c473dc518718ab3d14ced2bd0870665a533070e0-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", + "cveId": "CVE-2025-3074", + "machineId": "c473dc518718ab3d14ced2bd0870665a533070e0", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "133.0.3065.92", + "severity": "Medium" + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", + "cveId": "CVE-2025-3073", + "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "133.0.3065.92", + "severity": "Medium" + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-google-_-chrome-_-134.0.6998.118-_-", + "cveId": "CVE-2025-3073", + "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "fixingKbId": null, + "productName": "chrome", + "productVendor": "google", + "productVersion": "134.0.6998.118", + "severity": "Medium" + }, + { + "id": "6825811b97340ed50d858e6285c7a7878248ca75-_-CVE-2025-26635-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "cveId": "CVE-2025-26635", + "machineId": "6825811b97340ed50d858e6285c7a7878248ca75", + "fixingKbId": "5055518", + "productName": "windows_10", + "productVendor": "microsoft", + "productVersion": "10.0.19045.5011", + "severity": "Medium" + } + ] + } + `}} + - path: /api/machines + methods: ['GET'] + query_params: + $top: 10000 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", + "value": [ + { + "id": "94819846155826828d1603b913c67fe336d81295", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "firstSeen": "2025-01-08T13:05:05.3483549Z", + "lastSeen": "2025-01-08T13:15:03.694371Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "175.16.199.0", + "lastExternalIpAddress": "1.128.0.0", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": ["test tag"], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "216.160.83.56", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "c473dc518718ab3d14ced2bd0870665a533070e0", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-a415f17e-ce8d-4ce2-a8b4-83b674e7017e", + "firstSeen": "2025-01-09T20:29:06.2413437Z", + "lastSeen": "2025-01-09T20:57:23.4538904Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.142", + "lastExternalIpAddress": "81.2.69.144", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a02:cf40::", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-1602ff76-ed7f-4c94-b550-2f727b4782d4", + "firstSeen": "2025-01-09T14:01:35.8022227Z", + "lastSeen": "2025-01-09T14:22:34.8819165Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.192", + "lastExternalIpAddress": "89.160.20.112", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a02:cf40::", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "6825811b97340ed50d858e6285c7a7878248ca75", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-ab4d04af-68dc-4fee-9c16-6545265b3276", + "firstSeen": "2025-01-09T06:29:21.587607Z", + "lastSeen": "2025-01-09T06:56:38.3119183Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.192", + "lastExternalIpAddress": "89.160.20.112", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "Medium", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": ["test"], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "08a037be5ffcf0e85c0817a202a95e86dbb65124", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-3a95cdb2-c6ea-4761-b24e-02b71889b8bb", + "firstSeen": "2025-01-09T07:29:19.0754397Z", + "lastSeen": "2025-01-09T07:54:33.335749Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "67.43.156.0", + "lastExternalIpAddress": "175.16.199.0", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "High", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "67.43.156.0", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 2, + "value": [ + { + "id": "CVE-2025-3074", + "name": "CVE-2025-3074", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 2, + "publishedOn": "2025-04-01T00:00:00Z", + "updatedOn": "2025-04-08T00:00:00Z", + "firstDetected": "2025-04-01T19:52:39Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": ["test"], + "epss": 0.00111 + }, + { + "id": "CVE-2025-3073", + "name": "CVE-2025-3073", + "description": "Summary: An inappropriate implementation in the Autofill feature of Google Chrome versions prior to 135.0.7049.52 allows a remote attacker to perform UI spoofing by convincing a user to interact with a crafted HTML page. This vulnerability is categorized with a Chromium security severity rating of Low. Impact: Exploitation of this vulnerability could enable an attacker to bypass security restrictions, potentially leading to unauthorized actions or data exposure. AdditionalInformation: This vulnerability is also relevant to Microsoft Edge (Chromium-based), as it ingests Chromium. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 1, + "publishedOn": "2025-04-01T00:00:00Z", + "updatedOn": "2025-04-08T00:00:00Z", + "firstDetected": "2025-04-01T19:52:39Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": ["test"], + "epss": 0.00111 + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 2 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 2, + "value": [ + { + "id": "CVE-2025-26635", + "name": "CVE-2025-26635", + "description": "Summary: A vulnerability in Windows Hellos authentication mechanism permits an authorized attacker to bypass its security feature remotely over a network. Impact: Exploitation of this vulnerability could allow unauthorized access to systems, potentially leading to data breaches or further network compromise. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 1, + "publishedOn": "2025-04-08T07:00:00Z", + "updatedOn": "2025-04-09T20:03:01.577Z", + "firstDetected": "2025-04-08T18:00:48Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": [], + "epss": 0.00052 + }, + { + "id": "CVE-2025-3437", + "name": "CVE-2025-3437", + "description": "Summary: The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability in its ajax_actions.php file, where several functions lack proper capability checks. This flaw exists in all versions up to and including 1.4.66, allowing authenticated attackers with Subscriber-level access or higher to perform unauthorized data modifications. Impact: Exploitation of this vulnerability could lead to unauthorized changes to the plugins setup, potentially compromising the integrity of the affected WordPress site. Remediation: Upgrade to a version of Stylemixthemes Motors - Car Dealer, Classifieds & Listing later than 1.4.66. [Generated by AI]", + "severity": "Medium", + "cvssV3": 4.3, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "exposedMachines": 0, + "publishedOn": "2025-04-08T10:15:19.413Z", + "updatedOn": "2025-04-08T18:13:53.347Z", + "firstDetected": null, + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "NotSupported", + "tags": [], + "epss": 0.00025 + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 4 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 0, + "value": [] + } + `}} + \ No newline at end of file diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 0925f912872..5fef84d79f3 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.8.0" + changes: + - description: Add vulnerability data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/13595 - version: "3.7.0" changes: - description: Set `device.id` in all datasets and `application.name` in event dataset. diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..284a400f443 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +fields: + tags: + - preserve_duplicate_custom_fields +dynamic_fields: + "event.id": ".*" \ No newline at end of file diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log new file mode 100644 index 00000000000..6dedf0fedc1 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log @@ -0,0 +1,4 @@ +{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154} +{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"} +{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029} +{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json new file mode 100644 index 00000000000..b2fb815d4df --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -0,0 +1,558 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_--2025-05-27T10:28:42.575431692Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"id\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-\",\"cveId\":\"CVE-2024-11168\",\"machineId\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1\",\"fixingKbId\":null,\"productName\":\"python-unversioned-command_for_linux\",\"productVendor\":\"red_hat\",\"productVersion\":\"0:3.9.18-3.el9_4.6\",\"severity\":\"Medium\",\"mergedIntoMachineId\":null,\"isPotentialDuplication\":false,\"isExcluded\":false,\"exclusionReason\":null,\"computerDnsName\":\"C-Lab-33\",\"firstSeen\":\"2024-11-06T09:57:53.476232Z\",\"lastSeen\":\"2025-05-12T04:13:23.7778534Z\",\"osPlatform\":\"RedHatEnterpriseLinux\",\"osVersion\":null,\"osProcessor\":\"x64\",\"version\":\"9.4\",\"lastIpAddress\":\"89.160.20.112\",\"lastExternalIpAddress\":\"175.16.199.0\",\"agentVersion\":\"30.124082.4.0\",\"osBuild\":null,\"healthStatus\":\"Active\",\"deviceValue\":\"Normal\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"High\",\"exposureLevel\":\"High\",\"isAadJoined\":false,\"aadDeviceId\":null,\"machineTags\":[\"C-Lab-Linux\"],\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"ipAddresses\":[{\"ipAddress\":\"89.160.20.112\",\"macAddress\":\"00505681A42F\",\"type\":\"Other\",\"operationalStatus\":\"Up\"},{\"ipAddress\":\"67.43.156.0\",\"macAddress\":\"000000000000\",\"type\":\"Other\",\"operationalStatus\":\"Up\"}],\"vmMetadata\":null},\"id\":\"CVE-2024-11168\",\"name\":\"CVE-2024-11168\",\"description\":\"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.3,\"cvssVector\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X\",\"exposedMachines\":2,\"publishedOn\":\"2023-04-25T16:00:00Z\",\"updatedOn\":\"2025-04-11T22:15:28.96Z\",\"firstDetected\":\"2025-05-02T05:36:57Z\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[\"Remote\"],\"exploitUris\":[],\"cveSupportability\":\"Supported\",\"tags\":[],\"epss\":0.00154}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "hostname": "C-Lab-33", + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "ip": [ + "175.16.199.0" + ], + "name": "C-Lab-33", + "os": { + "name": "RedHatEnterpriseLinux 9.4", + "platform": "RedHatEnterpriseLinux", + "type": "linux", + "version": "9.4" + }, + "risk": { + "calculated_level": "High" + } + }, + "m365_defender": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124082.4.0", + "computer_dns_name": "C-Lab-33", + "device_value": "Normal", + "exposure_level": "High", + "first_seen": "2024-11-06T09:57:53.476Z", + "health_status": "Active", + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", + "ip_addresses": [ + { + "ip_address": "89.160.20.112", + "mac_address": "00-50-56-81-A4-2F", + "operational_status": "Up", + "type": "Other" + }, + { + "ip_address": "67.43.156.0", + "mac_address": "00-00-00-00-00-00", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "175.16.199.0", + "last_ip_address": "89.160.20.112", + "last_seen": "2025-05-12T04:13:23.777Z", + "machine_id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "machine_tags": [ + "C-Lab-Linux" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_platform": "RedHatEnterpriseLinux", + "os_processor": "x64", + "product_name": "python-unversioned-command_for_linux", + "product_vendor": "red_hat", + "product_version": "0:3.9.18-3.el9_4.6", + "rbac_group_id": "0", + "risk_score": "High", + "severity": "Medium", + "version": "9.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.3, + "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", + "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "epss": 0.00154, + "exploit_in_kit": false, + "exploit_types": [ + "Remote" + ], + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-05-02T05:36:57.000Z", + "id": "CVE-2024-11168", + "impact": "Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data.", + "name": "CVE-2024-11168", + "public_exploit": false, + "published_on": "2023-04-25T16:00:00.000Z", + "remediation": "Upgrade to Python version 3.9.21 or later.", + "severity": "Medium", + "updated_on": "2025-04-11T22:15:28.960Z" + } + }, + "message": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "fixed_version": "3.9.21", + "name": "python-unversioned-command_for_linux", + "version": "0:3.9.18-3.el9_4.6" + }, + "related": { + "hosts": [ + "C-Lab-33", + "86c0491db8ff7e8dcad520288b7759fa27793ce1" + ], + "ip": [ + "89.160.20.112", + "67.43.156.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "name": "C-Lab-33" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2024-11168", + "published_date": "2023-04-25T16:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2024-11168", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.3 + }, + "severity": "Medium", + "title": "Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518-2025-05-27T10:28:42.575463615Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":\"79dc383d-1ba1-4ac9-9dca-792e881a5034\",\"agentVersion\":\"10.8760.19045.5011\",\"computerDnsName\":\"c-lab-14\",\"cveId\":\"CVE-2025-24062\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"High\",\"firstSeen\":\"2024-11-05T11:55:28.5899758Z\",\"fixingKbId\":\"5055518\",\"healthStatus\":\"Active\",\"id\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518\",\"ipAddresses\":[{\"ipAddress\":\"1.128.0.0\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"2a02:cf40::\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"81.2.69.192\",\"macAddress\":null,\"operationalStatus\":\"Up\",\"type\":\"SoftwareLoopback\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"89.160.20.112\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-04-21T08:24:41.3833512Z\",\"machineId\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a\",\"machineTags\":[],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"windows_10\",\"productVendor\":\"microsoft\",\"productVersion\":\"10.0.19045.5011\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7.8,\"cvssVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00073,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":7,\"firstDetected\":\"2025-04-08T18:00:48Z\",\"id\":\"CVE-2025-24062\",\"name\":\"CVE-2025-24062\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-08T07:00:00Z\",\"severity\":\"High\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-09T20:03:01.577Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "hostname": "c-lab-14", + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "ip": [ + "89.160.20.112" + ], + "name": "c-lab-14", + "os": { + "name": "Windows10 22H2", + "platform": "Windows10", + "type": "windows", + "version": "22H2" + }, + "risk": { + "calculated_level": "None" + } + }, + "m365_defender": { + "vulnerability": { + "affected_machine": { + "aad_device_id": "79dc383d-1ba1-4ac9-9dca-792e881a5034", + "agent_version": "10.8760.19045.5011", + "computer_dns_name": "c-lab-14", + "device_value": "Normal", + "exposure_level": "High", + "first_seen": "2024-11-05T11:55:28.589Z", + "fixing_kb_id": "5055518", + "health_status": "Active", + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "ip_addresses": [ + { + "ip_address": "1.128.0.0", + "mac_address": "00-50-56-83-B8-89", + "operational_status": "Up", + "type": "Ethernet" + }, + { + "ip_address": "2a02:cf40::", + "mac_address": "00-50-56-83-B8-89", + "operational_status": "Up", + "type": "Ethernet" + }, + { + "ip_address": "81.2.69.192", + "operational_status": "Up", + "type": "SoftwareLoopback" + } + ], + "is_aad_joined": true, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "89.160.20.112", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-04-21T08:24:41.383Z", + "machine_id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "managed_by": "Intune", + "managed_by_status": "Unknown", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 19045, + "os_platform": "Windows10", + "os_processor": "x64", + "product_name": "windows_10", + "product_vendor": "microsoft", + "product_version": "10.0.19045.5011", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "High", + "version": "22H2" + }, + "cve_supportability": "Supported", + "cvss_v3": 7.8, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 7.3E-4, + "exploit_in_kit": false, + "exploit_types": [ + "PrivilegeEscalation" + ], + "exploit_verified": false, + "exposed_machines": 7, + "first_detected": "2025-04-08T18:00:48.000Z", + "id": "CVE-2025-24062", + "impact": "Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity.", + "name": "CVE-2025-24062", + "public_exploit": false, + "published_on": "2025-04-08T07:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "High", + "tags": [ + "test" + ], + "updated_on": "2025-04-09T20:03:01.577Z" + } + }, + "message": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "windows_10", + "version": "10.0.19045.5011" + }, + "related": { + "hosts": [ + "79dc383d-1ba1-4ac9-9dca-792e881a5034", + "c-lab-14", + "fd43e5b3ba69b8ecffb165017d9c8687f24e246a" + ], + "ip": [ + "1.128.0.0", + "2a02:cf40::", + "81.2.69.192", + "89.160.20.112", + "175.16.199.0" + ] + }, + "resource": { + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "name": "c-lab-14" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-24062", + "published_date": "2025-04-08T07:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-24062", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 7.8 + }, + "severity": "High", + "title": "An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-47828-2025-05-27T10:28:42.575468513Z", + "kind": "event", + "original": "{\"affectedMachine\":null,\"id\":\"CVE-2025-47828\",\"name\":\"CVE-2025-47828\",\"description\":\"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.4,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"exposedMachines\":0,\"publishedOn\":\"2025-05-11T00:00:00Z\",\"updatedOn\":\"2025-05-12T20:50:07Z\",\"firstDetected\":null,\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"cveSupportability\":\"NotSupported\",\"tags\":[],\"epss\":0.00029}", + "type": [ + "info" + ] + }, + "m365_defender": { + "vulnerability": { + "cve_supportability": "NotSupported", + "cvss_v3": 6.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C", + "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "epss": 2.9E-4, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 0, + "id": "CVE-2025-47828", + "impact": "Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website.", + "name": "CVE-2025-47828", + "public_exploit": false, + "published_on": "2025-05-11T00:00:00.000Z", + "remediation": "Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05.", + "severity": "Medium", + "updated_on": "2025-05-12T20:50:07.000Z" + } + }, + "message": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "fixed_version": "2024-04-05" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-47828", + "published_date": "2025-05-11T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-47828", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.4 + }, + "severity": "Medium", + "title": "The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_--2025-05-27T10:28:42.575472415Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "hostname": "c-lab-08", + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "ip": [ + "67.43.156.0" + ], + "name": "c-lab-08", + "os": { + "name": "Windows10 22H2", + "platform": "Windows10", + "type": "windows", + "version": "22H2" + }, + "risk": { + "calculated_level": "None" + } + }, + "m365_defender": { + "vulnerability": { + "affected_machine": { + "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", + "agent_version": "10.8792.19045.5737", + "computer_dns_name": "c-lab-08", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2024-11-05T11:54:59.571Z", + "health_status": "Active", + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-50-56-83-B8-80", + "operational_status": "Up", + "type": "Ethernet" + } + ], + "is_aad_joined": true, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "67.43.156.0", + "last_ip_address": "89.160.20.128", + "last_seen": "2025-04-22T05:48:04.755Z", + "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "machine_tags": [ + "test tag 1" + ], + "managed_by": "Intune", + "managed_by_status": "Unknown", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 19045, + "os_platform": "Windows10", + "os_processor": "x64", + "product_name": "tools", + "product_vendor": "vmware", + "product_version": "12.0.6.0", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "High", + "version": "22H2" + }, + "cve_supportability": "Supported", + "cvss_v3": 7.0, + "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 5.3E-4, + "exploit_in_kit": false, + "exploit_types": [ + "PrivilegeEscalation" + ], + "exploit_verified": false, + "exposed_machines": 12, + "first_detected": "2025-01-01T08:22:58.000Z", + "id": "TVM-2020-0002", + "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", + "name": "TVM-2020-0002", + "public_exploit": false, + "published_on": "2022-08-23T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "High", + "updated_on": "2024-12-10T00:00:00.000Z" + } + }, + "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "tools", + "version": "12.0.6.0" + }, + "related": { + "hosts": [ + "d78dc223-8dc8-4210-9700-019b3b03505b", + "c-lab-08", + "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" + ], + "ip": [ + "216.160.83.56", + "67.43.156.0", + "89.160.20.128" + ] + }, + "resource": { + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "name": "c-lab-08" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "TVM", + "id": "TVM-2020-0002", + "published_date": "2022-08-23T00:00:00.000Z", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 7.0 + }, + "severity": "High", + "title": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine." + } + } + ] +} diff --git a/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..33a446e45b8 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: m365-defender-vulnerability-cel +vars: + url: http://{{Hostname}}:{{Port}} + token_url: http://{{Hostname}}:{{Port}} + client_id: test-app-id + client_secret: test-secret + azure_tenant_id: tenant_id +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 5 diff --git a/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..ccc5a5651aa --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs @@ -0,0 +1,253 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + provider: azure + client.id: {{client_id}} + client.secret: {{client_secret}} + scopes: +{{#each token_scopes as |token_scope|}} + - {{token_scope}} +{{/each}} +{{#if token_url}} + token_url: {{token_url}}/{{azure_tenant_id}}/oauth2/v2.0/token +{{else if azure_tenant_id}} + azure.tenant_id: {{azure_tenant_id}} +{{/if}} + +state: + product_batch_size: 10000 + product_skip: 0 + batch_size: {{batch_size}} + skip: 0 + machine_batch_size: 10000 + machine_skip: 0 + affected_machines_only: {{affected_machines_only}} +redact: + fields: ~ +program: | + ( + state.?is_all_products_fetched.orValue(false) ? + { + "products": state.products, + "product_batch_size": state.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": state.is_all_products_fetched, + ?"machines": state.?machines, + "machine_batch_size": state.machine_batch_size, + "machine_skip": state.machine_skip, + ?"is_all_machines_fetched": state.?is_all_machines_fetched, + ?"vulnerabilities": state.?vulnerabilities, + "batch_size": state.batch_size, + "skip": state.skip, + ?"is_all_vulnerabilities_fetched": state.?is_all_vulnerabilities_fetched, + "affected_machines_only": state.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities?" + { + "$top": [string(state.product_batch_size)], + "$skip": [string(state.product_skip)], + }.format_query()).do_request().as(productResp, productResp.StatusCode == 200 ? + ( + productResp.Body.decode_json().as(productBody, { + "events": [{"message":"retry"}], + "products": (state.?products.orValue([]) + productBody.value).flatten(), + "product_batch_size": state.product_batch_size, + "product_skip": size(productBody.value) > 0 ? int(state.product_skip) + int(state.product_batch_size) : 0, + "is_all_products_fetched": size(productBody.value) < int(state.product_batch_size), + "want_more": true, + "machine_batch_size": state.machine_batch_size, + "machine_skip": state.machine_skip, + "batch_size": state.batch_size, + "skip": state.skip, + "affected_machines_only": state.affected_machines_only, + }) + ) + : + { + "events": { + "error": { + "code": string(productResp.StatusCode), + "id": string(productResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities" + + ( + size(productResp.Body) != 0 ? + string(productResp.Body) + : + string(productResp.Status) + ' (' + string(productResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ).as(products, !products.?is_all_products_fetched.orValue(false) ? products : ( + products.?is_all_machines_fetched.orValue(false) ? + { + "products": products.products, + "product_batch_size": products.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": products.is_all_products_fetched, + "machines": products.machines, + "machine_batch_size": products.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products.is_all_machines_fetched, + ?"vulnerabilities": products.?vulnerabilities, + "batch_size": products.batch_size, + "skip": products.skip, + ?"is_all_vulnerabilities_fetched": products.?is_all_vulnerabilities_fetched, + "affected_machines_only": products.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/machines?" + { + "$top": [string(products.machine_batch_size)], + "$skip": [string(products.machine_skip)], + }.format_query()).do_request().as(machineResp, machineResp.StatusCode == 200 ? + machineResp.Body.decode_json().as(machineBody, { + "events": [{"message":"retry"}], + "machines": (products.?machines.orValue([]) + machineBody.value).flatten(), + "machine_batch_size": products.machine_batch_size, + "machine_skip": size(machineBody.value) > 0 ? int(products.machine_skip) + int(products.machine_batch_size) : 0, + "is_all_machines_fetched": size(machineBody.value) < int(products.machine_batch_size), + "want_more": true, + "products": products.products, + "product_batch_size": products.product_batch_size, + "product_skip" : 0, + "is_all_products_fetched": products.is_all_products_fetched, + "batch_size": products.batch_size, + "skip": products.skip, + "affected_machines_only": products.affected_machines_only, + }) + : + { + "events": { + "error": { + "code": string(machineResp.StatusCode), + "id": string(machineResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/machines" + + ( + size(machineResp.Body) != 0 ? + string(machineResp.Body) + : + string(machineResp.Status) + ' (' + string(machineResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )).as(products_with_machines, !products_with_machines.?is_all_machines_fetched.orValue(false) ? products_with_machines : ( + products_with_machines.?is_all_vulnerability_fetched.orValue(false) ? + { + "products": products_with_machines.products, + "product_batch_size": products_with_machines.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": products_with_machines.is_all_products_fetched, + "machines": products_with_machines.machines, + "machine_batch_size": products_with_machines.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products_with_machines.is_all_machines_fetched, + "vulnerabilities": products_with_machines.vulnerabilities, + "batch_size": products_with_machines.batch_size, + "skip": 0, + "is_all_vulnerability_fetched": products_with_machines.is_all_vulnerability_fetched, + "affected_machines_only": products_with_machines.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/vulnerabilities?" + { + "$top": [string(products_with_machines.batch_size)], + "$skip": [string(products_with_machines.skip)], + }.format_query()).do_request().as(vulnerabilityResp, vulnerabilityResp.StatusCode == 200 ? + vulnerabilityResp.Body.decode_json().as(vulnerabilityBody, { + "events": [{"message":"retry"}], + "vulnerabilities": (products_with_machines.?vulnerabilities.orValue([]) + vulnerabilityBody.value).flatten(), + "batch_size": state.batch_size, + "skip":size(vulnerabilityBody.value) > 0 ? int(products_with_machines.skip) + int(products_with_machines.batch_size) : 0, + "is_all_vulnerabilities_fetched": size(vulnerabilityBody.value) < int(products_with_machines.batch_size), + "want_more": true, + "products": products_with_machines.products, + "product_batch_size": products_with_machines.product_batch_size, + "product_skip" : 0, + "is_all_products_fetched": products_with_machines.is_all_products_fetched, + "machines": products_with_machines.machines, + "machine_batch_size": products_with_machines.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products_with_machines.is_all_machines_fetched, + "affected_machines_only": products_with_machines.affected_machines_only, + }) + : + { + "events": { + "error": { + "code": string(vulnerabilityResp.StatusCode), + "id": string(vulnerabilityResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities" + + ( + size(vulnerabilityResp.Body) != 0 ? + string(vulnerabilityResp.Body) + : + string(vulnerabilityResp.Status) + ' (' + string(vulnerabilityResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )).as(all_data, !all_data.?is_all_vulnerabilities_fetched.orValue(false) ? all_data : ( + ( + all_data.products.map(p, (all_data.machines.filter(m, m.id == p.machineId)[0]).with(p)) + ).as(mapped_products, { + "vulnerability_with_machines": all_data.vulnerabilities.filter(v, v.exposedMachines > 0), + "vulnerability_without_machines": !all_data.affected_machines_only ? + all_data.vulnerabilities.filter(v, v.exposedMachines == 0) + : + [], + "mapped_products": mapped_products, + }).as(final_data, { + "events": (final_data.vulnerability_with_machines.map(v, + final_data.mapped_products.filter(mp, mp.cveId == v.id).map(related_mapped_products, + {"message": v.with({"affectedMachine": related_mapped_products}).encode_json()} + )).flatten() + final_data.vulnerability_without_machines.map(v, { + "message": v.with({"affectedMachine": null}).encode_json(), + }) + ).flatten(), + "product_batch_size": all_data.product_batch_size, + "product_skip" : 0, + "machine_batch_size": all_data.machine_batch_size, + "machine_skip": 0, + "batch_size": all_data.batch_size, + "skip": 0, + "affected_machines_only": all_data.affected_machines_only, + "want_more": false, + }) + )) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/m365_defender/data_stream/vulnerability/elasticsearch/ilm/default_policy.json b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..6fbc1040483 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "7d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "7d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..ae1d4a63270 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,804 @@ +--- +description: Pipeline for processing Vulnerability logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - drop: + if: ctx.message == 'retry' + tag: drop_retry_events + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind_to_event + value: event + - append: + field: event.type + tag: append_event_type + value: info + - append: + field: event.category + tag: append_event_category + value: vulnerability + - set: + field: observer.product + tag: set_observer_product + value: "Microsoft 365 Defender" + - set: + field: observer.vendor + tag : set_observer_vendor + value: "Microsoft" + - rename: + field: json.affectedMachine.aadDeviceId + tag: rename_affectedMachine_aadDeviceId + target_field: m365_defender.vulnerability.affected_machine.aad_device_id + ignore_missing: true + - append: + field: related.hosts + tag: append_m365_defender_vulnerability_affected_machine_aad_device_id_into_related_hosts + value: '{{{m365_defender.vulnerability.affected_machine.aad_device_id}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.aad_device_id != null + - rename: + field: json.affectedMachine.agentVersion + tag: rename_affectedMachine_agentVersion + target_field: m365_defender.vulnerability.affected_machine.agent_version + ignore_missing: true + - rename: + field: json.affectedMachine.computerDnsName + tag: rename_affectedMachine_computerDnsName + target_field: m365_defender.vulnerability.affected_machine.computer_dns_name + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_m365_defender_vulnerability_affected_machine_computer_dns_name + copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - set: + field: host.name + tag: set_host_hostname_from_m365_defender_vulnerability_affected_machine_computer_dns_name + copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - set: + field: resource.name + tag: set_resource_name_from_m365_defender_vulnerability_affected_machine_computer_dns_name + copy_from: m365_defender.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_m365_defender_vulnerability_computer_dns_name_into_related_hosts + value: '{{{m365_defender.vulnerability.affected_machine.computer_dns_name}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.computer_dns_name != null + - rename: + field: json.affectedMachine.deviceValue + tag: rename_affectedMachine_deviceValue + target_field: m365_defender.vulnerability.affected_machine.device_value + ignore_missing: true + - rename: + field: json.affectedMachine.exclusionReason + tag: rename_affectedMachine_exclusionReason + target_field: m365_defender.vulnerability.affected_machine.exclusion_reason + ignore_missing: true + - rename: + field: json.affectedMachine.exposureLevel + tag: rename_affectedMachine_exposureLevel + target_field: m365_defender.vulnerability.affected_machine.exposure_level + ignore_missing: true + - date: + field: json.affectedMachine.firstSeen + tag: date_affectedMachine_firstSeen + target_field: m365_defender.vulnerability.affected_machine.first_seen + formats: + - strict_date_optional_time_nanos + if: ctx.json?.affectedMachine?.firstSeen != null && ctx.json.affectedMachine.firstSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.fixingKbId + tag: rename_affectedMachine_fixingKbId + target_field: m365_defender.vulnerability.affected_machine.fixing_kb_id + ignore_missing: true + - rename: + field: json.affectedMachine.healthStatus + tag: rename_affectedMachine_healthStatus + target_field: m365_defender.vulnerability.affected_machine.health_status + ignore_missing: true + - rename: + field: json.affectedMachine.id + tag: rename_affectedMachine_id + target_field: m365_defender.vulnerability.affected_machine.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_m365_defender_vulnerability_affected_machine_id + value: '{{{m365_defender.vulnerability.affected_machine.id}}}-{{{_ingest.timestamp}}}' + if: ctx.m365_defender?.vulnerability?.affected_machine?.id != null + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + convert: + field: _ingest._value.ipAddress + tag: convert_affectedMachine_ipAddresses_ipAddress_to_ip + target_field: _ingest._value.ip_address + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + append: + field: related.ip + tag: append_affectedMachine_ipAddresses_ip_address_into_related_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + uppercase: + field: _ingest._value.macAddress + tag: uppercase_affectedMachine_ipAddresses_macAddress + target_field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + gsub: + field: _ingest._value.mac_address + pattern: '(..)(?!$)' + replacement: '$1-' + tag: gsub_affectedMachine_ipAddresses_mac_address + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + rename: + field: _ingest._value.operationalStatus + tag: rename_affectedMachine_ipAddresses_operationalStatus + target_field: _ingest._value.operational_status + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + remove: + field: + - _ingest._value.ipAddress + - _ingest._value.macAddress + tag: remove_ipAddresses + ignore_missing: true + - rename: + field: json.affectedMachine.ipAddresses + tag: rename_affectedMachine_ipAddresses + target_field: m365_defender.vulnerability.affected_machine.ip_addresses + ignore_missing: true + - convert: + field: json.affectedMachine.isAadJoined + tag: convert_affectedMachine_isAadJoined_to_boolean + target_field: m365_defender.vulnerability.affected_machine.is_aad_joined + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.isExcluded + tag: convert_affectedMachine_isExcluded_to_boolean + target_field: m365_defender.vulnerability.affected_machine.is_excluded + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.isPotentialDuplication + tag: convert_affectedMachine_isPotentialDuplication_to_boolean + target_field: m365_defender.vulnerability.affected_machine.is_potential_duplication + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.lastExternalIpAddress + tag: convert_affectedMachine_lastExternalIpAddress_to_ip + target_field: m365_defender.vulnerability.affected_machine.last_external_ip_address + type: ip + ignore_missing: true + if: ctx.json?.affectedMachine?.lastExternalIpAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.ip + tag: append_m365_defender_vulnerability_affected_machine_last_external_ip_address_into_host_ip + value: '{{{m365_defender.vulnerability.affected_machine.last_external_ip_address}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.last_external_ip_address != null + - append: + field: related.ip + tag: append_m365_defender_vulnerability_affected_machine_last_external_ip_address_into_related_ip + value: '{{{m365_defender.vulnerability.affected_machine.last_external_ip_address}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.last_external_ip_address != null + - geoip: + field: host.ip + target_field: host.geo + tag: geoip_host_geo + ignore_missing: true + - convert: + field: json.affectedMachine.lastIpAddress + tag: convert_affectedMachine_lastIpAddress_to_ip + target_field: m365_defender.vulnerability.affected_machine.last_ip_address + type: ip + ignore_missing: true + if: ctx.json?.affectedMachine?.lastIpAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_m365_defender_vulnerability_affected_machine_last_ip_address_into_related_ip + value: '{{{m365_defender.vulnerability.affected_machine.last_ip_address}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.last_ip_address != null + - date: + field: json.affectedMachine.lastSeen + tag: date_affectedMachine_lastSeen + target_field: m365_defender.vulnerability.affected_machine.last_seen + formats: + - strict_date_optional_time_nanos + if: ctx.json?.affectedMachine?.lastSeen != null && ctx.json.affectedMachine.lastSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.machineId + tag: rename_affectedMachine_machineId + target_field: m365_defender.vulnerability.affected_machine.machine_id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_m365_defender_vulnerability_affected_machine_machine_id + copy_from: m365_defender.vulnerability.affected_machine.machine_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_m365_defender_vulnerability_affected_machine_machine_id + copy_from: m365_defender.vulnerability.affected_machine.machine_id + ignore_empty_value: true + - append: + field: related.hosts + tag: append_related_hosts_from_m365_defender_vulnerability_affected_machine_machine_id + value: '{{{m365_defender.vulnerability.affected_machine.machine_id}}}' + allow_duplicates: false + if: ctx.m365_defender?.vulnerability?.affected_machine?.machine_id != null + - rename: + field: json.affectedMachine.machineTags + tag: rename_affectedMachine_machineTags + target_field: m365_defender.vulnerability.affected_machine.machine_tags + ignore_missing: true + - rename: + field: json.affectedMachine.managedBy + tag: rename_affectedMachine_managedBy + target_field: m365_defender.vulnerability.affected_machine.managed_by + ignore_missing: true + - rename: + field: json.affectedMachine.managedByStatus + tag: rename_affectedMachine_managedByStatus + target_field: m365_defender.vulnerability.affected_machine.managed_by_status + ignore_missing: true + - convert: + field: json.affectedMachine.mergedIntoMachineId + tag: convert_affectedMachine_mergedIntoMachineId_to_string + target_field: m365_defender.vulnerability.affected_machine.merged_into_machine_id + type: string + ignore_missing: true + - rename: + field: json.affectedMachine.onboardingStatus + tag: rename_affectedMachine_onboardingStatus + target_field: m365_defender.vulnerability.affected_machine.onboarding_status + ignore_missing: true + - rename: + field: json.affectedMachine.osArchitecture + tag: rename_affectedMachine_osArchitecture + target_field: m365_defender.vulnerability.affected_machine.os_architecture + ignore_missing: true + - convert: + field: json.affectedMachine.osBuild + tag: convert_affectedMachine_osBuild_to_long + target_field: m365_defender.vulnerability.affected_machine.os_build + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.osPlatform + tag: rename_affectedMachine_osPlatform + target_field: m365_defender.vulnerability.affected_machine.os_platform + ignore_missing: true + - set: + field: host.os.platform + tag: set_host_os_platform_from_m365_defender_vulnerability_affected_machine_os_platform + copy_from: m365_defender.vulnerability.affected_machine.os_platform + ignore_empty_value: true + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + if: ctx.m365_defender?.vulnerability?.affected_machine?.os_platform != null + params: + os_type: + - linux + - macos + - unix + - windows + - ios + - android + source: | + String os_platform = ctx.m365_defender.vulnerability.affected_machine.os_platform.toLowerCase(); + for (String os: params.os_type) { + if (os_platform.contains(os)) { + ctx.host.os.put('type', os); + return; + } + } + if (os_platform.contains('centos') || os_platform.contains('ubuntu')) { + ctx.host.os.put('type', 'linux'); + } + - rename: + field: json.affectedMachine.osProcessor + tag: rename_affectedMachine_osProcessor + target_field: m365_defender.vulnerability.affected_machine.os_processor + ignore_missing: true + - set: + field: host.architecture + tag: set_host_architecture_from_vulnerability_affected_machine_os_processor + copy_from: m365_defender.vulnerability.affected_machine.os_processor + ignore_empty_value: true + - convert: + field: json.affectedMachine.osVersion + tag: convert_affectedMachine_osVersion_to_string + target_field: m365_defender.vulnerability.affected_machine.os_version + type: string + ignore_missing: true + - rename: + field: json.affectedMachine.productName + tag: rename_affectedMachine_productName + target_field: m365_defender.vulnerability.affected_machine.product_name + ignore_missing: true + - set: + field: package.name + tag: set_package_version_from_vulnerability_affected_machine_product_name + copy_from: m365_defender.vulnerability.affected_machine.product_name + ignore_empty_value: true + - rename: + field: json.affectedMachine.productVendor + tag: rename_affectedMachine_productVendor + target_field: m365_defender.vulnerability.affected_machine.product_vendor + ignore_missing: true + - rename: + field: json.affectedMachine.productVersion + tag: rename_affectedMachine_productVersion + target_field: m365_defender.vulnerability.affected_machine.product_version + ignore_missing: true + - set: + field: package.version + tag: set_package_version_from_vulnerability_affected_machine_product_version + copy_from: m365_defender.vulnerability.affected_machine.product_version + ignore_empty_value: true + - convert: + field: json.affectedMachine.rbacGroupId + tag: convert_affectedMachine_rbacgroup_id_to_string + target_field: m365_defender.vulnerability.affected_machine.rbac_group_id + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: group.id + tag: set_group_id_from_vulnerability_affected_machine_rbac_group_id + copy_from: m365_defender.vulnerability.affected_machine.rbac_group_id + ignore_empty_value: true + - rename: + field: json.affectedMachine.rbacGroupName + tag: rename_affectedMachine_rbacGroupName + target_field: m365_defender.vulnerability.affected_machine.rbac_group_name + ignore_missing: true + - set: + field: group.name + tag: set_group_name_from_vulnerability_affected_machine_rbac_group_name + copy_from: m365_defender.vulnerability.affected_machine.rbac_group_name + ignore_empty_value: true + - rename: + field: json.affectedMachine.riskScore + tag: rename_riskScore + target_field: m365_defender.vulnerability.affected_machine.risk_score + ignore_missing: true + - set: + field: host.risk.calculated_level + tag: set_host_risk_calculated_level_from_vulnerability_affected_machine_risk_score + copy_from: m365_defender.vulnerability.affected_machine.risk_score + ignore_empty_value: true + - rename: + field: json.affectedMachine.severity + tag: rename_affectedMachine_severity + target_field: m365_defender.vulnerability.affected_machine.severity + ignore_missing: true + - rename: + field: json.affectedMachine.version + tag: rename_affectedMachine_version + target_field: m365_defender.vulnerability.affected_machine.version + ignore_missing: true + - set: + field: host.os.version + tag: set_host_os_version_from_vulnerability_affected_machine_version + copy_from: m365_defender.vulnerability.affected_machine.version + ignore_empty_value: true + - set: + field: host.os.name + value: '{{{host.os.platform}}} {{{host.os.version}}}' + ignore_failure: true + if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null + - rename: + field: json.affectedMachine.vmMetadata.cloudProvider + tag: rename_affectedMachine_vmMetadata_cloudProvider + target_field: m365_defender.vulnerability.affected_machine.vmMetadata.cloud_provider + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.resourceId + tag: rename_affectedMachine_vmMetadata_resourceId + target_field: m365_defender.vulnerability.affected_machine.vmMetadata.resource_id + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.subscriptionId + tag: rename_affectedMachine_vmMetadata_subscriptionId + target_field: m365_defender.vulnerability.affected_machine.vmMetadata.subscription_id + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.vmId + tag: rename_affectedMachine_vmMetadata_vmId + target_field: m365_defender.vulnerability.affected_machine.vmMetadata.vm_id + ignore_missing: true + - rename: + field: json.cveSupportability + tag: rename_cveSupportability + target_field: m365_defender.vulnerability.cve_supportability + ignore_missing: true + - convert: + field: json.cvssV3 + tag: convert_cvssV3_to_double + target_field: m365_defender.vulnerability.cvss_v3 + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_vulnerability_cvss_v3 + copy_from: m365_defender.vulnerability.cvss_v3 + ignore_empty_value: true + - set: + field: vulnerability.classification + tag: set_vulnerability_classification_from_vulnerability_cvss_v3 + value: CVSS + if: ctx.m365_defender?.vulnerability?.cvss_v3 != null + ignore_empty_value: true + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Microsoft + - rename: + field: json.cvssVector + tag: rename_cvssVector + target_field: m365_defender.vulnerability.cvss_vector + ignore_missing: true + - rename: + field: json.description + tag: rename_description + target_field: m365_defender.vulnerability.description + ignore_missing: true + - set: + field: vulnerability.description + tag: set_vulnerability_description_from_vulnerability_description + copy_from: m365_defender.vulnerability.description + ignore_empty_value: true + - set: + field: message + tag: set_message_from_vulnerability_description + copy_from: m365_defender.vulnerability.description + ignore_empty_value: true + - grok: + field: message + tag: grok_message_to_extract_vulnerability_title_impact_remediation_and_fixed_version + patterns: + # remediation version is present + - 'Summary: %{DATA:vulnerability.title} Impact: %{DATA:m365_defender.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}(?\d+(?:[.-]\d+)+)%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' + # remediation version is not present + - 'Summary: %{DATA:vulnerability.title} Impact: %{DATA:m365_defender.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' + ignore_failure: true + - convert: + field: json.epss + tag: convert_epss_to_double + target_field: m365_defender.vulnerability.epss + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exploitInKit + tag: convert_exploitInKit_to_boolean + target_field: m365_defender.vulnerability.exploit_in_kit + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.exploitTypes + tag: rename_exploitTypes + target_field: m365_defender.vulnerability.exploit_types + ignore_missing: true + - rename: + field: json.exploitUris + tag: rename_exploitUris + target_field: m365_defender.vulnerability.exploit_uris + ignore_missing: true + - convert: + field: json.exploitVerified + tag: convert_exploitVerified_to_boolean + target_field: m365_defender.vulnerability.exploit_verified + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exposedMachines + tag: convert_exposedMachines_to_long + target_field: m365_defender.vulnerability.exposed_machines + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.firstDetected + tag: date_firstDetected + target_field: m365_defender.vulnerability.first_detected + formats: + - ISO8601 + if: ctx.json?.firstDetected != null && ctx.json.firstDetected != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.id + tag: rename_id + target_field: m365_defender.vulnerability.id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_vulnerability_id + copy_from: m365_defender.vulnerability.id + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id_from_vulnerability_id + value: '{{{vulnerability.id}}}-{{{_ingest.timestamp}}}' + if: ctx.event?.id == null && ctx.vulnerability?.id != null + - set: + field: vulnerability.reference + tag: set_vulnerability_reference_from_vulnerability_id + value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.contains('CVE') + - script: + description: Dynamically set cve.enumeration values. + tag: script_map_vulnerability_id + lang: painless + if: ctx.vulnerability?.id != null + params: + vulnerability_enumeration: + - CVE + - TVM + source: | + String vulnerability_id = ctx.m365_defender.vulnerability.id.toUpperCase(); + for (String enum: params.vulnerability_enumeration) { + if (vulnerability_id.contains(enum)) { + ctx.vulnerability.put('enumeration', enum); + return; + } + } + - rename: + field: json.name + tag: rename_name + target_field: m365_defender.vulnerability.name + ignore_missing: true + - date: + field: json.patchFirstAvailable + tag: date_patchFirstAvailable + target_field: m365_defender.vulnerability.patch_first_available + formats: + - ISO8601 + if: ctx.json?.patchFirstAvailable != null && ctx.json.patchFirstAvailable != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.publicExploit + tag: convert_publicExploit_to_boolean + target_field: m365_defender.vulnerability.public_exploit + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.publishedOn + tag: date_publishedOn + target_field: m365_defender.vulnerability.published_on + formats: + - ISO8601 + if: ctx.json?.publishedOn != null && ctx.json.publishedOn != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.published_date + tag: set_vulnerability_published_date_from_vulnerability_published_on + copy_from: m365_defender.vulnerability.published_on + ignore_empty_value: true + - rename: + field: json.severity + tag: rename_severity + target_field: m365_defender.vulnerability.severity + ignore_missing: true + - set: + field: vulnerability.severity + tag: set_vulnerability_severity_from_vulnerability_severity + copy_from: m365_defender.vulnerability.severity + ignore_empty_value: true + - rename: + field: json.tags + tag: rename_tags + target_field: m365_defender.vulnerability.tags + ignore_missing: true + - date: + field: json.updatedOn + tag: date_updatedOn + target_field: m365_defender.vulnerability.updated_on + formats: + - ISO8601 + if: ctx.json?.updatedOn != null && ctx.json.updatedOn != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: + - m365_defender.vulnerability.affected_machine.computer_dns_name + - m365_defender.vulnerability.affected_machine.last_external_ip_address + - m365_defender.vulnerability.affected_machine.machine_id + - m365_defender.vulnerability.affected_machine.os_platform + - m365_defender.vulnerability.affected_machine.os_processor + - m365_defender.vulnerability.affected_machine.product_name + - m365_defender.vulnerability.affected_machine.product_version + - m365_defender.vulnerability.affected_machine.rbac_group_id + - m365_defender.vulnerability.affected_machine.rbac_group_name + - m365_defender.vulnerability.affected_machine.risk_score + - m365_defender.vulnerability.affected_machine.version + - m365_defender.vulnerability.cvss_v3 + - m365_defender.vulnerability.description + - m365_defender.vulnerability.id + - m365_defender.vulnerability.severity + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/m365_defender/data_stream/vulnerability/fields/base-fields.yml b/packages/m365_defender/data_stream/vulnerability/fields/base-fields.yml new file mode 100644 index 00000000000..5dc2af0e38e --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: m365_defender +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: m365_defender.vulnerability +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/m365_defender/data_stream/vulnerability/fields/beats.yml b/packages/m365_defender/data_stream/vulnerability/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/m365_defender/data_stream/vulnerability/fields/fields.yml b/packages/m365_defender/data_stream/vulnerability/fields/fields.yml new file mode 100644 index 00000000000..b5bf9241007 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/fields.yml @@ -0,0 +1,179 @@ +- name: m365_defender + type: group + fields: + - name: vulnerability + type: group + fields: + - name: affected_machine + type: group + fields: + - name: aad_device_id + type: keyword + description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). + - name: agent_version + type: keyword + - name: computer_dns_name + type: keyword + description: Machine fully qualified name. + - name: device_value + type: keyword + description: 'The value of the device. Possible values are: Normal, Low, and High.' + - name: exclusion_reason + type: keyword + - name: exposure_level + type: keyword + description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' + - name: first_seen + type: date + description: First date and time where the machine was observed by Microsoft Defender for Endpoint. + - name: fixing_kb_id + type: keyword + - name: health_status + type: keyword + description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' + - name: id + type: keyword + - name: ip_addresses + type: group + fields: + - name: ip_address + type: ip + - name: mac_address + type: keyword + - name: operational_status + type: keyword + - name: type + type: keyword + - name: is_aad_joined + type: boolean + - name: is_excluded + type: boolean + - name: is_potential_duplication + type: boolean + - name: last_external_ip_address + type: ip + description: Last IP through which the machine accessed the internet. + - name: last_ip_address + type: ip + description: Last IP on local NIC on the machine. + - name: last_seen + type: date + description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' + - name: machine_id + type: keyword + description: Machine identity. + - name: machine_tags + type: keyword + description: Set of machine tags. + - name: managed_by + type: keyword + - name: managed_by_status + type: keyword + - name: merged_into_machine_id + type: keyword + - name: onboarding_status + type: keyword + description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' + - name: os_architecture + type: keyword + description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' + - name: os_build + type: long + description: Operating system build number. + - name: os_platform + type: keyword + description: Operating system platform. + - name: os_processor + type: keyword + description: Operating system processor. Use osArchitecture property instead. + - name: os_version + type: keyword + - name: product_name + type: keyword + - name: product_vendor + type: keyword + - name: product_version + type: keyword + - name: rbac_group_id + type: keyword + description: Machine group ID. + - name: rbac_group_name + type: keyword + description: Machine group Name. + - name: risk_score + type: keyword + description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' + - name: severity + type: keyword + - name: version + type: keyword + description: Operating system version. + - name: vmMetadata + type: group + fields: + - name: cloud_provider + type: keyword + - name: resource_id + type: keyword + - name: subscription_id + type: keyword + - name: vm_id + type: keyword + - name: cve_supportability + type: keyword + description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' + - name: cvss_v3 + type: double + description: CVSS v3 score. + - name: cvss_vector + type: keyword + description: A compressed textual representation that reflects the values used to derive the score. + - name: description + type: keyword + description: Vulnerability description. + - name: epss + type: double + description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. + - name: exploit_in_kit + type: boolean + description: Exploit is part of an exploit kit. + - name: exploit_types + type: keyword + description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' + - name: exploit_uris + type: keyword + description: Exploit source URLs. + - name: exploit_verified + type: boolean + description: Exploit is verified to work. + - name: exposed_machines + type: long + description: Number of exposed devices. + - name: first_detected + type: date + - name: id + type: keyword + description: Vulnerability ID. + - name: impact + type: keyword + - name: name + type: keyword + description: Vulnerability title. + - name: patch_first_available + type: date + - name: public_exploit + type: boolean + description: Public exploit exists. + - name: published_on + type: date + description: Date when vulnerability was published. + - name: remediation + type: keyword + - name: severity + type: keyword + description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' + - name: tags + type: keyword + - name: updated_on + type: date + description: Date when vulnerability was updated. diff --git a/packages/m365_defender/data_stream/vulnerability/fields/package.yml b/packages/m365_defender/data_stream/vulnerability/fields/package.yml new file mode 100644 index 00000000000..1c2032e9777 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs \ No newline at end of file diff --git a/packages/m365_defender/data_stream/vulnerability/fields/resource.yml b/packages/m365_defender/data_stream/vulnerability/fields/resource.yml new file mode 100644 index 00000000000..2a1cc8f3611 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword \ No newline at end of file diff --git a/packages/m365_defender/data_stream/vulnerability/fields/vulnerability.yml b/packages/m365_defender/data_stream/vulnerability/fields/vulnerability.yml new file mode 100644 index 00000000000..f77e5febef1 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/fields/vulnerability.yml @@ -0,0 +1,7 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: title + type: keyword \ No newline at end of file diff --git a/packages/m365_defender/data_stream/vulnerability/lifecycle.yml b/packages/m365_defender/data_stream/vulnerability/lifecycle.yml new file mode 100644 index 00000000000..3fe3776ec1f --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "7d" diff --git a/packages/m365_defender/data_stream/vulnerability/manifest.yml b/packages/m365_defender/data_stream/vulnerability/manifest.yml new file mode 100644 index 00000000000..7513004c22a --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/manifest.yml @@ -0,0 +1,84 @@ +title: Collect Vulnerability logs from M365 Defender. +type: logs +ilm_policy: logs-m365_defender.vulnerability-default_policy +streams: + - input: cel + title: M365 Defender Vulnerabilities + description: Collect M365 Defender Vulnerabilities logs. + enabled: false + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the M365 Defender Vulnerability API. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 4h + - name: batch_size + type: integer + title: Batch Size + description: Specifies how many records to return in a single request of the M365 Defender Vulnerability API. + multi: false + required: true + show_user: false + default: 8000 + - name: affected_machines_only + type: bool + title: Collect vulnerabilities from affected machines only + description: Collect only vulnerabilities that have at least one affected machine. Vulnerabilities without any affected machines will not be ingested. + show_user: true + required: false + default: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + multi: false + default: false + required: false + show_user: false + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field event.original. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forwarded + - m365_defender-vulnerability + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve m365_defender.vulnerability.* fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. + \ No newline at end of file diff --git a/packages/m365_defender/data_stream/vulnerability/sample_event.json b/packages/m365_defender/data_stream/vulnerability/sample_event.json new file mode 100644 index 00000000000..26defc538f3 --- /dev/null +++ b/packages/m365_defender/data_stream/vulnerability/sample_event.json @@ -0,0 +1,172 @@ +{ + "@timestamp": "2025-05-27T10:44:59.658Z", + "agent": { + "ephemeral_id": "5f1f16e8-9234-4c2f-8497-bcbf282d23f5", + "id": "f145b2f6-c9f6-40bb-ba86-40ed3894824a", + "name": "elastic-agent-85182", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "m365_defender.vulnerability", + "namespace": "42235", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "f145b2f6-c9f6-40bb-ba86-40ed3894824a", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "m365_defender.vulnerability", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_--2025-05-27T10:45:00.675702254Z", + "ingested": "2025-05-27T10:45:00Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "id": "94819846155826828d1603b913c67fe336d81295", + "ip": [ + "1.128.0.0" + ], + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "os": { + "name": "Ubuntu 20.4", + "platform": "Ubuntu", + "type": "linux", + "version": "20.4" + }, + "risk": { + "calculated_level": "None" + } + }, + "input": { + "type": "cel" + }, + "m365_defender": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124092.2.0", + "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2025-01-08T13:05:05.348Z", + "health_status": "Inactive", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-0C-29-10-F1-DA", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "1.128.0.0", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-01-08T13:15:03.694Z", + "machine_id": "94819846155826828d1603b913c67fe336d81295", + "machine_tags": [ + "test tag" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 6, + "os_platform": "Ubuntu", + "os_processor": "x64", + "product_name": "edge_chromium-based", + "product_vendor": "microsoft", + "product_version": "134.0.3124.72", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "Medium", + "version": "20.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 0.00111, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-04-01T19:52:39.000Z", + "id": "CVE-2025-3074", + "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", + "name": "CVE-2025-3074", + "public_exploit": false, + "published_on": "2025-04-01T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "Medium", + "tags": [ + "test" + ], + "updated_on": "2025-04-08T00:00:00.000Z" + } + }, + "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "edge_chromium-based", + "version": "134.0.3124.72" + }, + "related": { + "hosts": [ + "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "94819846155826828d1603b913c67fe336d81295" + ], + "ip": [ + "216.160.83.56", + "1.128.0.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "94819846155826828d1603b913c67fe336d81295", + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "m365_defender-vulnerability" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-3074", + "published_date": "2025-04-01T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.5 + }, + "severity": "Medium", + "title": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website." + } +} diff --git a/packages/m365_defender/docs/README.md b/packages/m365_defender/docs/README.md index eef0c9ee7d1..df7560e8468 100644 --- a/packages/m365_defender/docs/README.md +++ b/packages/m365_defender/docs/README.md @@ -2,20 +2,15 @@ ## Overview -The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. +The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API), Event (Streaming API) Logs, and Vulnerability (Microsoft Defender for Endpoint API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. -Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, and the Microsoft Graph Security v1.0 REST API. Then visualise that data in Kibana. +Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, Microsoft Graph Security v1.0 REST API, and the Micrsoft Defender Endpoint API. Then visualise that data in Kibana. -For example, you could use the data from this integration to consolidate and correlate security alerts from multiple sources. Also, by looking into the alert and incident, a user can take an appropriate action in the Microsoft 365 Defender Portal. - -## Agentless Enabled Integration -Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). - -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. +For example, you could use the data from this integration to consolidate and correlate security alerts from multiple sources. Also, by looking into the alert, incident, and vulnerability a user can take an appropriate action in the Microsoft 365 Defender Portal. ## Data streams -The Microsoft 365 Defender integration collects logs for three types of events: Alert, Event, and Incident. +The Microsoft 365 Defender integration collects logs for four types of events: Alert, Event, Incident, and Vulnerability. **Alert:** This data streams leverages the [Microsoft Graph Security API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) to collect alerts including suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. @@ -23,53 +18,88 @@ The Microsoft 365 Defender integration collects logs for three types of events: **Incidents and Alerts (Recommended):** This data streams leverages the [Microsoft Graph Security API](https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0) to ingest a collection of correlated alert instances and associated metadata that reflects the story of an attack in M365D. Incidents stemming from Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention are supported by this integration. +**Vulnerability:** This data stream uses the [Microsoft Defender for Endpoint API](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) to gather vulnerability details by fetching data from three different endpoints — [vulnerabilities](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities), [machines](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines), and [software/products](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities-by-machines). The collected data is then correlated and mapped to generate a single, enriched log per vulnerability, providing a clear view of risks across machines and installed software in your environment. + ## Requirements You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. -This module has used **Microsoft Azure Event Hub** for Streaming Event, and **Microsoft Graph Security v1.0 REST API** for Incident data stream. +This module has used **Microsoft Azure Event Hub** for Streaming Event, **Microsoft Graph Security v1.0 REST API** for Incident data stream and **Microsoft Defender for Endpoint API** for Vulnerability data stream. For **Event**, using filebeat's [Azure Event Hub](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-eventhub.html) input, state such as leases on partitions and checkpoints in the event stream are shared between receivers using an Azure Storage container. For this reason, as a prerequisite to using this input, users will have to create or use an existing storage account. -## Compatibility +### Agentless enabled integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. -- Supported Microsoft 365 Defender streaming event types have been supported in the current integration version: +### Agent-based installation - | Resource types | Description | - |---------------------------|---------------------------| - | AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts. | - | AlertInfo | Alerts from M365 Defender XDR services, including severity and threat categorization. | - | DeviceEvents | Event types, including events triggered by security controls. | - | DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints. | - | DeviceFileEvents | File creation, modification, and other file system events. | - | DeviceImageLoadEvents | DLL loading events. | - | DeviceInfo | Machine information, including OS information. | - | DeviceLogonEvents | Sign-ins and other authentication events on devices. | - | DeviceNetworkEvents | Network connection and related events. | - | DeviceNetworkInfo | Network properties of devices, as well as connected networks and domains. | - | DeviceProcessEvents | Process creation and related events. | - | DeviceRegistryEvents | Creation and modification of registry entries. | - | EmailAttachmentInfo | Information about files attached to emails. | - | EmailEvents | Microsoft 365 email events, including email delivery and blocking events. | - | EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox. | - | EmailUrlInfo | Information about URLs in emails. | - | IdentityInfo | Account information from various sources, including Microsoft Entra ID. | - | IdentityLogonEvents | Authentication events on Active Directory and Microsoft online services. | - | IdentityQueryEvents | Queries for Active Directory objects, such as users, groups, devices, and domains. | - | IdentityDirectoryEvents | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. | - | CloudAppEvents | Events involving accounts and objects in Office 365 and other cloud apps and services. | - | UrlClickEvent | Safe Links clicks from email messages, Teams, and Office 365 apps. | +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +## Compatibility +### This integration supports below API versions to collect data. + - [Microsoft Graph Security v1.0 REST API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) + - [M365 Defender Streaming API](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide) + Supported Microsoft 365 Defender streaming event types: + | Resource types | Description | + |---------------------------|---------------------------| + | AlertEvidence | Files, IP addresses, URLs, users, or devices associated with alerts. | + | AlertInfo | Alerts from M365 Defender XDR services, including severity and threat categorization. | + | DeviceEvents | Event types, including events triggered by security controls. | + | DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints. | + | DeviceFileEvents | File creation, modification, and other file system events. | + | DeviceImageLoadEvents | DLL loading events. | + | DeviceInfo | Machine information, including OS information. | + | DeviceLogonEvents | Sign-ins and other authentication events on devices. | + | DeviceNetworkEvents | Network connection and related events. | + | DeviceNetworkInfo | Network properties of devices, as well as connected networks and domains. | + | DeviceProcessEvents | Process creation and related events. | + | DeviceRegistryEvents | Creation and modification of registry entries. | + | EmailAttachmentInfo | Information about files attached to emails. | + | EmailEvents | Microsoft 365 email events, including email delivery and blocking events. | + | EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox. | + | EmailUrlInfo | Information about URLs in emails. | + | IdentityInfo | Account information from various sources, including Microsoft Entra ID. | + | IdentityLogonEvents | Authentication events on Active Directory and Microsoft online services. | + | IdentityQueryEvents | Queries for Active Directory objects, such as users, groups, devices, and domains. | + | IdentityDirectoryEvents | Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. | + | CloudAppEvents | Events involving accounts and objects in Office 365 and other cloud apps and services. | + | UrlClickEvent | Safe Links clicks from email messages, Teams, and Office 365 apps. | + - [Microsoft Defender for Endpoint API](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) + - [Vulnerabilities API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities) (Last updated On 04/25/2024) + - [Machines API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines) (Last updated On 03/01/2025) + - [software/products API](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities-by-machines) (Last updated On 04/25/2024) ## Setup -### To collect data from Microsoft Azure Event Hub, follow the below steps: -1. [Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide). +### Follow the steps below to configure data collection from Microsoft sources: + +### 1. Collecting Data from Microsoft Azure Event Hub +- [Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide). -### To collect data from Microsoft Graph Security v1.0 REST API, follow the below steps: +### 2. Collecting Data from Microsoft Graph Security v1.0 REST API (for Incidents & Alerts) +- [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). +- Assign the required permission: **SecurityIncident.Read.All**. See more details [here](https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0). +- Once the application is registered, note the following values for use during configuration: + - Client ID + - Client Secret + - Tenant ID -1. [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). -2. Permission required for accessing Incident API would be **SecurityIncident.Read.All**. See more details [here](https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0) -3. After the application has been created, it will generate Client ID, Client Secret and Tenant ID values that are required for alert and incident data collection. +### 3. Collecting Data from Microsoft Defender for Endpoint API (for Vulnerabilities) +- [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0). +- Assign the required permissions: + - **Vulnerability.Read.All** See more details [here](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities#permissions). + - **Machine.Read.All** See more details [here](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines#permissions). +- After registration, retrieve the following credentials needed for configuration: + - Client ID + - Client Secret + - Tenant ID + +### Data Retention and ILM Configuration +A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we’ve set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control. + +> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index` ## Alert severity mapping @@ -1464,3 +1494,271 @@ An example event for `incident` looks as following: | m365_defender.incident.web_url.scheme | | keyword | | m365_defender.incident.web_url.username | | keyword | + +### vulnerability + +This is the `vulnerability` dataset. + +#### Example + +An example event for `vulnerability` looks as following: + +```json +{ + "@timestamp": "2025-05-27T10:44:59.658Z", + "agent": { + "ephemeral_id": "5f1f16e8-9234-4c2f-8497-bcbf282d23f5", + "id": "f145b2f6-c9f6-40bb-ba86-40ed3894824a", + "name": "elastic-agent-85182", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "m365_defender.vulnerability", + "namespace": "42235", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "f145b2f6-c9f6-40bb-ba86-40ed3894824a", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "m365_defender.vulnerability", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_--2025-05-27T10:45:00.675702254Z", + "ingested": "2025-05-27T10:45:00Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "id": "94819846155826828d1603b913c67fe336d81295", + "ip": [ + "1.128.0.0" + ], + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "os": { + "name": "Ubuntu 20.4", + "platform": "Ubuntu", + "type": "linux", + "version": "20.4" + }, + "risk": { + "calculated_level": "None" + } + }, + "input": { + "type": "cel" + }, + "m365_defender": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124092.2.0", + "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2025-01-08T13:05:05.348Z", + "health_status": "Inactive", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-0C-29-10-F1-DA", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "1.128.0.0", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-01-08T13:15:03.694Z", + "machine_id": "94819846155826828d1603b913c67fe336d81295", + "machine_tags": [ + "test tag" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 6, + "os_platform": "Ubuntu", + "os_processor": "x64", + "product_name": "edge_chromium-based", + "product_vendor": "microsoft", + "product_version": "134.0.3124.72", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "Medium", + "version": "20.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 0.00111, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-04-01T19:52:39.000Z", + "id": "CVE-2025-3074", + "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", + "name": "CVE-2025-3074", + "public_exploit": false, + "published_on": "2025-04-01T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "Medium", + "tags": [ + "test" + ], + "updated_on": "2025-04-08T00:00:00.000Z" + } + }, + "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "edge_chromium-based", + "version": "134.0.3124.72" + }, + "related": { + "hosts": [ + "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "94819846155826828d1603b913c67fe336d81295" + ], + "ip": [ + "216.160.83.56", + "1.128.0.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "94819846155826828d1603b913c67fe336d81295", + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "m365_defender-vulnerability" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-3074", + "published_date": "2025-04-01T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.5 + }, + "severity": "Medium", + "title": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website." + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| m365_defender.vulnerability.affected_machine.aad_device_id | Microsoft Entra Device ID (when machine is Microsoft Entra joined). | keyword | +| m365_defender.vulnerability.affected_machine.agent_version | | keyword | +| m365_defender.vulnerability.affected_machine.computer_dns_name | Machine fully qualified name. | keyword | +| m365_defender.vulnerability.affected_machine.device_value | The value of the device. Possible values are: Normal, Low, and High. | keyword | +| m365_defender.vulnerability.affected_machine.exclusion_reason | | keyword | +| m365_defender.vulnerability.affected_machine.exposure_level | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High. | keyword | +| m365_defender.vulnerability.affected_machine.first_seen | First date and time where the machine was observed by Microsoft Defender for Endpoint. | date | +| m365_defender.vulnerability.affected_machine.fixing_kb_id | | keyword | +| m365_defender.vulnerability.affected_machine.health_status | machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown. | keyword | +| m365_defender.vulnerability.affected_machine.id | | keyword | +| m365_defender.vulnerability.affected_machine.ip_addresses.ip_address | | ip | +| m365_defender.vulnerability.affected_machine.ip_addresses.mac_address | | keyword | +| m365_defender.vulnerability.affected_machine.ip_addresses.operational_status | | keyword | +| m365_defender.vulnerability.affected_machine.ip_addresses.type | | keyword | +| m365_defender.vulnerability.affected_machine.is_aad_joined | | boolean | +| m365_defender.vulnerability.affected_machine.is_excluded | | boolean | +| m365_defender.vulnerability.affected_machine.is_potential_duplication | | boolean | +| m365_defender.vulnerability.affected_machine.last_external_ip_address | Last IP through which the machine accessed the internet. | ip | +| m365_defender.vulnerability.affected_machine.last_ip_address | Last IP on local NIC on the machine. | ip | +| m365_defender.vulnerability.affected_machine.last_seen | Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update. | date | +| m365_defender.vulnerability.affected_machine.machine_id | Machine identity. | keyword | +| m365_defender.vulnerability.affected_machine.machine_tags | Set of machine tags. | keyword | +| m365_defender.vulnerability.affected_machine.managed_by | | keyword | +| m365_defender.vulnerability.affected_machine.managed_by_status | | keyword | +| m365_defender.vulnerability.affected_machine.merged_into_machine_id | | keyword | +| m365_defender.vulnerability.affected_machine.onboarding_status | Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo. | keyword | +| m365_defender.vulnerability.affected_machine.os_architecture | Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor. | keyword | +| m365_defender.vulnerability.affected_machine.os_build | Operating system build number. | long | +| m365_defender.vulnerability.affected_machine.os_platform | Operating system platform. | keyword | +| m365_defender.vulnerability.affected_machine.os_processor | Operating system processor. Use osArchitecture property instead. | keyword | +| m365_defender.vulnerability.affected_machine.os_version | | keyword | +| m365_defender.vulnerability.affected_machine.product_name | | keyword | +| m365_defender.vulnerability.affected_machine.product_vendor | | keyword | +| m365_defender.vulnerability.affected_machine.product_version | | keyword | +| m365_defender.vulnerability.affected_machine.rbac_group_id | Machine group ID. | keyword | +| m365_defender.vulnerability.affected_machine.rbac_group_name | Machine group Name. | keyword | +| m365_defender.vulnerability.affected_machine.risk_score | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High. | keyword | +| m365_defender.vulnerability.affected_machine.severity | | keyword | +| m365_defender.vulnerability.affected_machine.version | Operating system version. | keyword | +| m365_defender.vulnerability.affected_machine.vmMetadata.cloud_provider | | keyword | +| m365_defender.vulnerability.affected_machine.vmMetadata.resource_id | | keyword | +| m365_defender.vulnerability.affected_machine.vmMetadata.subscription_id | | keyword | +| m365_defender.vulnerability.affected_machine.vmMetadata.vm_id | | keyword | +| m365_defender.vulnerability.cve_supportability | Possible values are: Supported, Not Supported, or SupportedInPremium. | keyword | +| m365_defender.vulnerability.cvss_v3 | CVSS v3 score. | double | +| m365_defender.vulnerability.cvss_vector | A compressed textual representation that reflects the values used to derive the score. | keyword | +| m365_defender.vulnerability.description | Vulnerability description. | keyword | +| m365_defender.vulnerability.epss | Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. | double | +| m365_defender.vulnerability.exploit_in_kit | Exploit is part of an exploit kit. | boolean | +| m365_defender.vulnerability.exploit_types | Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local. | keyword | +| m365_defender.vulnerability.exploit_uris | Exploit source URLs. | keyword | +| m365_defender.vulnerability.exploit_verified | Exploit is verified to work. | boolean | +| m365_defender.vulnerability.exposed_machines | Number of exposed devices. | long | +| m365_defender.vulnerability.first_detected | | date | +| m365_defender.vulnerability.id | Vulnerability ID. | keyword | +| m365_defender.vulnerability.impact | | keyword | +| m365_defender.vulnerability.name | Vulnerability title. | keyword | +| m365_defender.vulnerability.patch_first_available | | date | +| m365_defender.vulnerability.public_exploit | Public exploit exists. | boolean | +| m365_defender.vulnerability.published_on | Date when vulnerability was published. | date | +| m365_defender.vulnerability.remediation | | keyword | +| m365_defender.vulnerability.severity | Vulnerability Severity. Possible values are: Low, Medium, High, or Critical. | keyword | +| m365_defender.vulnerability.tags | | keyword | +| m365_defender.vulnerability.updated_on | Date when vulnerability was updated. | date | +| package.fixed_version | | keyword | +| package.name | Package name | keyword | +| package.version | Package version | keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| vulnerability.published_date | | date | +| vulnerability.title | | keyword | + diff --git a/packages/m365_defender/img/m365-defender-vulnerability.png b/packages/m365_defender/img/m365-defender-vulnerability.png new file mode 100644 index 00000000000..befc0410b5a Binary files /dev/null and b/packages/m365_defender/img/m365-defender-vulnerability.png differ diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json index 56eae6d4da1..0afcee8ea87 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json @@ -3,8 +3,87 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"d218fe98-720c-4475-b679-38ebec3e5ecb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d218fe98-720c-4475-b679-38ebec3e5ecb\",\"fieldName\":\"event.severity\",\"title\":\"Severity\",\"enhancements\":{}}},\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}},\"0a666826-2535-479f-bfc7-55f386ebc9fc\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0a666826-2535-479f-bfc7-55f386ebc9fc\",\"fieldName\":\"user.name\",\"title\":\"Username\",\"enhancements\":{}}},\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\",\"fieldName\":\"m365_defender.event.alert.category\",\"title\":\"Alert Category\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "534738ec-8737-44ca-892b-9ebeae8a5206": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.name", + "id": "534738ec-8737-44ca-892b-9ebeae8a5206", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Hostname" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "bd14990b-e404-4c63-a107-fe338183f846": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "user.name", + "id": "bd14990b-e404-4c63-a107-fe338183f846", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Username" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "e84ad14d-6f5c-4dce-8693-5294ebae8ad1": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.severity", + "id": "e84ad14d-6f5c-4dce-8693-5294ebae8ad1", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "ff486caf-f06e-47c4-a451-1d21575d19e2": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.alert.category", + "id": "ff486caf-f06e-47c4-a451-1d21575d19e2", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Alert Category" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender Alert Events.", "kibanaSavedObjectMeta": { @@ -26,7 +105,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +126,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n**[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c)** \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Alert type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream.\n\nThe supported event types are:\n- AdvancedHunting-AlertEvidence\n- AdvancedHunting-AlertInfo\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n**Alert Events** \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard visualizes Alert type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream.\n\nThe supported event types are:\n- AdvancedHunting-AlertEvidence\n- AdvancedHunting-AlertInfo\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +143,7 @@ }, "panelIndex": "709e2e0c-aff3-433c-bc03-3fc62f033873", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -104,6 +186,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -277,8 +360,7 @@ }, "panelIndex": "f7f48432-a963-4c54-860d-8a33a26940c5", "title": "High Severity Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -321,6 +403,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -494,8 +577,7 @@ }, "panelIndex": "a1fef86c-50fd-4344-a17b-1f52c2ab387c", "title": "Medium Severity Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -538,6 +620,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -711,8 +794,7 @@ }, "panelIndex": "ab38b1be-424f-42fe-9eb3-f82a07760836", "title": "Low Severity Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -755,6 +837,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -894,8 +977,7 @@ }, "panelIndex": "94a17c51-33de-4974-bfc0-36895c851ccf", "title": "Informational Severity Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -938,6 +1020,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -1045,8 +1128,7 @@ }, "panelIndex": "95ac17ce-7f9e-459b-bd6c-ca7b7d4fc866", "title": "Unique Host Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1254,8 +1336,7 @@ }, "panelIndex": "ed37facb-6a06-448e-8b27-33a266d36ede", "title": "Severity of Alerts Over Time", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1432,8 +1513,7 @@ }, "panelIndex": "17575d40-8cb8-4a3e-bc13-b8ef8a09123f", "title": "Distribution of Alert Events by Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1633,8 +1713,7 @@ }, "panelIndex": "b8b9e1dc-f5e5-4cb4-b935-6f6bc8deeb45", "title": "Distribution of Alert Events by Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1806,8 +1885,7 @@ }, "panelIndex": "1bdac8c4-40d5-4256-9678-d0be8da4e90f", "title": "Distribution of Alert Events by Entity Type", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1979,8 +2057,7 @@ }, "panelIndex": "b36c4cb0-fb8d-4587-9175-e8993c4345f2", "title": "Distribution of Alert Events by AlertEvidence Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2151,8 +2228,7 @@ }, "panelIndex": "425863c5-767c-46b4-a8d5-f3457813c1c5", "title": "Distribution of Alert Events by Service Source", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2323,8 +2399,7 @@ }, "panelIndex": "63038c1f-4fc2-4223-8093-1d531dcebf55", "title": "Distribution of Alert Events by Evidence Role", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2505,8 +2580,7 @@ }, "panelIndex": "f7b0e2ea-30a7-4ea8-84a4-ea258a438dd0", "title": "Distribution of Alert Events by Detection Source", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2673,8 +2747,7 @@ }, "panelIndex": "aee72ecd-3e85-473d-ae8e-a4b8c30eb35b", "title": "Top 10 Attack Techniques Used", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2842,8 +2915,7 @@ }, "panelIndex": "689534bf-7bd5-47c3-b2e4-05ad3e05065c", "title": "Top 10 User with Highest Alert", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -3052,20 +3124,17 @@ }, "panelIndex": "8a6b9b07-4d25-4e16-9d75-7cef9ae0b6d5", "title": "Top 10 Device by Alert Count", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Alert Events", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T09:11:03.790Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-2690a440-7235-11ed-8657-c59f6ece834c", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -3309,24 +3378,35 @@ }, { "id": "logs-*", - "name": "controlGroup_d218fe98-720c-4475-b679-38ebec3e5ecb:optionsListDataView", + "name": "controlGroup_9798e5d7-7091-4c53-b0bd-8710dea40d25:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_f8f04068-22e1-41e8-b1a1-0786df2a0d10:optionsListDataView", + "name": "controlGroup_614102a1-8cf4-4ff5-922e-3f44d2a23f0d:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_0a666826-2535-479f-bfc7-55f386ebc9fc:optionsListDataView", + "name": "controlGroup_65abf0e3-2af9-492f-9cc8-bde9bf25f632:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_0c0c21f4-2b5b-4945-bde3-de61ee7c1c22:optionsListDataView", + "name": "controlGroup_9be16fea-bc5d-424d-9a18-99ffbad3807a:optionsListDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json index cf15b3d1b3c..24b19d6493b 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c.json @@ -3,8 +3,87 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"c08dd0da-2066-4051-9e48-9330cecd79cf\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c08dd0da-2066-4051-9e48-9330cecd79cf\",\"fieldName\":\"m365_defender.event.threat.types\",\"title\":\"Threat Type\",\"enhancements\":{}}},\"e3da88be-2a0e-4df5-9231-4b235e35e372\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e3da88be-2a0e-4df5-9231-4b235e35e372\",\"fieldName\":\"m365_defender.event.delivery.action\",\"title\":\"Delivery Action\",\"enhancements\":{}}},\"40e768fd-58fd-485d-908f-816fd083d07b\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"40e768fd-58fd-485d-908f-816fd083d07b\",\"fieldName\":\"m365_defender.event.email.action\",\"title\":\"Email Action\",\"enhancements\":{}}},\"c723136d-6842-4824-8a78-20c7376d28a9\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c723136d-6842-4824-8a78-20c7376d28a9\",\"fieldName\":\"email.direction\",\"title\":\"Email Direction\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "462266f4-6e00-4cc8-98c1-f99680e11323": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.threat.types", + "id": "462266f4-6e00-4cc8-98c1-f99680e11323", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Threat Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "6c9ef091-b6c7-427f-9a54-e8c0ed58a1c7": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.delivery.action", + "id": "6c9ef091-b6c7-427f-9a54-e8c0ed58a1c7", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Delivery Action" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "72bea75c-f16a-4af5-8834-e55d35225ba1": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.email.action", + "id": "72bea75c-f16a-4af5-8834-e55d35225ba1", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Email Action" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "a08f3a7c-3f2c-4d38-9325-2dbf39c34163": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "email.direction", + "id": "a08f3a7c-3f2c-4d38-9325-2dbf39c34163", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Email Direction" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender Email Events.", "kibanaSavedObjectMeta": { @@ -26,7 +105,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +126,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n**[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c)** \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Email type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream. \n\nThe supported event types are:\n- AdvancedHunting-EmailAttachmentInfo\n- AdvancedHunting-EmailEvents\n- AdvancedHunting-EmailPostDeliveryEvents\n- AdvancedHunting-EmailUrlInfo\n- AdvancedHunting-UrlClickEvents\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n**Email Events** \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard visualizes Email type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream. \n\nThe supported event types are:\n- AdvancedHunting-EmailAttachmentInfo\n- AdvancedHunting-EmailEvents\n- AdvancedHunting-EmailPostDeliveryEvents\n- AdvancedHunting-EmailUrlInfo\n- AdvancedHunting-UrlClickEvents\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +143,7 @@ }, "panelIndex": "8c2183c4-d577-4aa3-9328-cf6d46e631f7", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -297,8 +379,7 @@ }, "panelIndex": "5572c205-4f5b-4ac8-bc7d-695de2ef1321", "title": "Distribution of Email Events by Threat Name", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -526,8 +607,7 @@ }, "panelIndex": "34103476-8fd1-4170-b643-c0f4234d87bc", "title": "Distribution of Email Events by Email Action", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -724,8 +804,7 @@ }, "panelIndex": "37e4845f-8d0a-49c0-8638-ff98d662c7bb", "title": "Distribution of Email Events by Email Direction", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -918,8 +997,7 @@ }, "panelIndex": "fcb067a8-62ac-4774-b7d9-613ee37eae05", "title": "Distribution of Email Events by Threat Type", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1112,8 +1190,7 @@ }, "panelIndex": "089de1f6-3285-40ff-bde9-6e9e97efa3b9", "title": "Distribution of Email Events by Delivery Action", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1306,8 +1383,7 @@ }, "panelIndex": "6939c76b-e05e-41fb-8728-69ce782d3d09", "title": "Distribution of Email Events by Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1535,8 +1611,7 @@ }, "panelIndex": "3e82a1c4-532d-46aa-90a1-b4604cc81c54", "title": "Distribution of Email Events by Email Language", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1764,20 +1839,17 @@ }, "panelIndex": "3befe23e-92aa-4170-9cf9-3811301a65ac", "title": "Distribution of Email Events by Delivery Location", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Email Events", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T09:12:17.096Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -1901,24 +1973,35 @@ }, { "id": "logs-*", - "name": "controlGroup_c08dd0da-2066-4051-9e48-9330cecd79cf:optionsListDataView", + "name": "controlGroup_c6a18219-9d93-4724-a702-0fd35b5da0f2:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_e3da88be-2a0e-4df5-9231-4b235e35e372:optionsListDataView", + "name": "controlGroup_eb3752d3-bcf9-48ea-818d-6efa42cfcf0e:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_40e768fd-58fd-485d-908f-816fd083d07b:optionsListDataView", + "name": "controlGroup_d83fd392-5319-425a-bfeb-86807a4af1ad:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_c723136d-6842-4824-8a78-20c7376d28a9:optionsListDataView", + "name": "controlGroup_c41c460b-fc35-44fd-a04c-14db646b4d64:optionsListDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json index f9a2c14a6f8..37b1eea95e2 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json @@ -3,8 +3,85 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\":{\"type\":\"rangeSliderControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"fieldName\":\"event.severity\",\"value\":[\"\",\"\"],\"id\":\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\",\"enhancements\":{}}},\"4f83317b-ba18-4a9a-b682-b822f79ee030\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4f83317b-ba18-4a9a-b682-b822f79ee030\",\"fieldName\":\"m365_defender.incident.status\",\"title\":\"Incident Status\",\"enhancements\":{}}},\"7aef0b74-b368-4a23-a713-02f3fcc672fc\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7aef0b74-b368-4a23-a713-02f3fcc672fc\",\"fieldName\":\"source.user.name\",\"title\":\"Source Username\",\"enhancements\":{}}},\"d4d6a591-6a26-412e-b0bd-9f71329143ba\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d4d6a591-6a26-412e-b0bd-9f71329143ba\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "1234eaad-5e4c-430a-be4b-3e0d34238030": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.name", + "id": "1234eaad-5e4c-430a-be4b-3e0d34238030", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Hostname" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "2ce725fa-b85b-42de-94ac-0b0bc0569bbb": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "source.user.name", + "id": "2ce725fa-b85b-42de-94ac-0b0bc0569bbb", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Source Username" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "8685e6b3-b4d0-4cb5-a8f0-3e307c3d4293": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.incident.status", + "id": "8685e6b3-b4d0-4cb5-a8f0-3e307c3d4293", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Incident Status" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "ba1b2a3b-1660-42f0-90a9-25ef374500de": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.severity", + "id": "ba1b2a3b-1660-42f0-90a9-25ef374500de", + "step": 1, + "value": [ + "", + "" + ] + }, + "grow": true, + "order": 2, + "type": "rangeSliderControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender Incidents", "kibanaSavedObjectMeta": { @@ -26,7 +103,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +124,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n**[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06)** \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Incident and Alert type events collected from the MS Graph API using the Incident Datastream\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n**Incidents** \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard visualizes Incident and Alert type events collected from the MS Graph API using the Incident Datastream\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +141,7 @@ }, "panelIndex": "84cd7862-0002-4303-9fc7-53e6cbb6e78e", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -246,8 +326,7 @@ }, "panelIndex": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e", "title": "Incident Counts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -445,8 +524,7 @@ }, "panelIndex": "4b49a572-a243-4c87-bea9-d0531d9dbd5a", "title": "Alert Counts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -578,8 +656,7 @@ }, "panelIndex": "09a42be0-f530-4662-a284-5ad7d3264935", "title": "Distribution of Incidents by Severity [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -735,8 +812,7 @@ }, "panelIndex": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b", "title": "Severity Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -867,8 +943,7 @@ }, "panelIndex": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53", "title": "Count of Incidents Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1014,11 +1089,11 @@ }, "panelIndex": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789", "title": "Incident with Highest Count of Alerts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { + "description": "", "enhancements": {} }, "gridData": { @@ -1030,8 +1105,8 @@ }, "panelIndex": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "panelRefName": "panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", - "type": "search", - "version": "8.7.1" + "title": "Incidents Essential Details [Logs Microsoft 365 Defender]", + "type": "search" }, { "embeddableConfig": { @@ -1168,8 +1243,7 @@ }, "panelIndex": "a567157d-8f3c-4fa5-b7a1-1caa3f9252b2", "title": "Distribution of Alerts by Category [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1297,8 +1371,7 @@ }, "panelIndex": "039e6ffc-d9bb-4bfb-9fde-a7dc9a7938bc", "title": "Distribution of Alerts by Severity [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1435,8 +1508,7 @@ }, "panelIndex": "7f825e05-faee-4ad4-9898-69cb1204cf89", "title": "Distribution of Alerts by Service Source [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1591,8 +1663,7 @@ }, "panelIndex": "8b6e0921-d74d-4fc1-83f4-04b15f37bef0", "title": "Distribution of Alerts by Determination [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1716,8 +1787,7 @@ }, "panelIndex": "2c9ca03f-7301-4749-9825-4b7871d90b21", "title": "Top 10 Detection Source that identified most of the Alerts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1884,8 +1954,7 @@ }, "panelIndex": "1a124e55-d897-4528-ad07-033d238e7460", "title": "Top 10 Email Sender IP with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2057,8 +2126,7 @@ }, "panelIndex": "80ad6adc-885a-471b-b9f1-ca6742177339", "title": "Alert Severity Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2189,8 +2257,7 @@ }, "panelIndex": "e81b4ea3-793d-4827-a77a-df2c9bf006d5", "title": "Count of Alerts Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2340,8 +2407,7 @@ }, "panelIndex": "a6c60337-0230-4d71-90d6-fcbf09ca19bb", "title": "Top 10 User Account with Compromised Role [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2482,8 +2548,7 @@ }, "panelIndex": "d7865055-20d9-4c1f-a0c2-4ddcd73a849d", "title": "Top Mitre Techniques [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2633,8 +2698,7 @@ }, "panelIndex": "57c437df-b2a8-40de-b8c5-26fadf2b3140", "title": "Top 10 Most Attacked Device [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2801,11 +2865,11 @@ }, "panelIndex": "6093d81b-dac2-417b-98cb-5531284af94f", "title": "Top 10 Process Commands with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { + "description": "", "enhancements": {} }, "gridData": { @@ -2817,20 +2881,18 @@ }, "panelIndex": "b4755871-88ae-45f2-813c-dbe4ca1cc54b", "panelRefName": "panel_b4755871-88ae-45f2-813c-dbe4ca1cc54b", - "type": "search", - "version": "8.7.1" + "title": "Alerts Essential Details [Logs Microsoft 365 Defender]", + "type": "search" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Incident", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2024-01-22T11:50:13.514Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -3044,24 +3106,35 @@ }, { "id": "logs-*", - "name": "controlGroup_72c489e6-c07a-4c74-8c35-d70b4b4e8ccd:rangeSliderDataView", + "name": "controlGroup_2708d0c8-86d9-45bc-a6f0-e722cc97df64:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_4f83317b-ba18-4a9a-b682-b822f79ee030:optionsListDataView", + "name": "controlGroup_39dfc434-7e3f-42fd-bd7b-081c7e4271b6:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_7aef0b74-b368-4a23-a713-02f3fcc672fc:optionsListDataView", + "name": "controlGroup_67b3423b-ef2e-430f-bdd6-5b3f61158010:rangeSliderDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_d4d6a591-6a26-412e-b0bd-9f71329143ba:optionsListDataView", + "name": "controlGroup_796f0688-c362-4886-9060-71834548a05b:optionsListDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json b/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json new file mode 100644 index 00000000000..fd532b0b651 --- /dev/null +++ b/packages/m365_defender/kibana/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json @@ -0,0 +1,2120 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "496b8374-9f81-43cb-9cbd-cc5859043d5e": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": null, + "existsSelected": null, + "fieldName": "vulnerability.severity", + "hideActionBar": null, + "hideExclude": null, + "hideExists": null, + "hideSort": null, + "placeholder": null, + "runPastTimeout": null, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": null, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "a5663e6a-f7f7-4e77-ae24-5b54abad99d2": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.vulnerability.affected_machine.exposure_level", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Exposure Level" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.risk.calculated_level", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Risk Calculated Level" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "ee7a009c-c029-4f58-b54d-71fbdf297630": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "host.os.platform", + "hideActionBar": null, + "hideExclude": null, + "hideExists": null, + "hideSort": null, + "placeholder": null, + "runPastTimeout": null, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": null, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "OS Platform" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Overview of Microsoft 365 Defender Vulnerabilities.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.vulnerability" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { + "columnOrder": [ + "b970edb6-7fb6-48f0-af44-b057acbebb37", + "d559fa87-35f2-4096-ba63-b938a3975194" + ], + "columns": { + "b970edb6-7fb6-48f0-af44-b057acbebb37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected Host", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of vulnerability.id", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "d559fa87-35f2-4096-ba63-b938a3975194": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", + "width": 357.5 + }, + { + "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" + } + ], + "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "layerType": "data" + } + }, + "title": "Top 10 Affected Host with Highest Vulnerability", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", + "w": 24, + "x": 0, + "y": 50 + }, + "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", + "title": "Top 10 Affected Host with Highest Vulnerability [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { + "columnOrder": [ + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", + "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + ], + "columns": { + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected software product", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "package.name" + }, + "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" + }, + { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + } + ], + "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "layerType": "data" + } + }, + "title": "Top 10 Affected software product", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "w": 24, + "x": 24, + "y": 50 + }, + "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "title": "Top 10 Affected Software Product [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "grid": { + "columns": { + "@timestamp": { + "width": 208 + }, + "host.id": { + "width": 299 + }, + "host.ip": { + "width": 140 + }, + "host.name": { + "width": 120 + }, + "host.risk.calculated_level": { + "width": 121 + }, + "m365_defender.vulnerability.affected_machine.last_seen": { + "width": 246 + }, + "m365_defender.vulnerability.updated_on": { + "width": 222 + } + } + } + }, + "gridData": { + "h": 22, + "i": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "w": 48, + "x": 0, + "y": 67 + }, + "panelIndex": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "panelRefName": "panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "title": "Affected Machines Essential Details [Logs Microsoft 365 Defender]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f83347b5-978e-4753-a26a-d40d0a549867": { + "columnOrder": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4", + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "columns": { + "64974bb9-da5e-4df7-b627-40f953c6e2b4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.platform" + }, + "bf620d80-f648-405b-94ac-3d6834fdb1a4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Machine ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "host.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "OS Distribution of Affected Machines", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "w": 16, + "x": 16, + "y": 35 + }, + "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "title": "Affected Machines by OS [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "columnOrder": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "columns": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Machine ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "host.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Risk Calculated Level", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.risk.calculated_level" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Critical" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "High" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Medium" + ] + }, + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by Severity", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", + "w": 16, + "x": 32, + "y": 35 + }, + "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", + "title": "Affected Machines by Risk Calculated Level [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { + "columnOrder": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "columns": { + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE Supportability ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "m365_defender.vulnerability.cve_supportability" + }, + "9f2f59ce-ffd5-42ca-a6b3-def879393810": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Vulnerability ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by CVE Supportability ", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "w": 16, + "x": 0, + "y": 35 + }, + "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "title": "Vulnerability by CVE Supportability [Logs Microsoft 365 Defender] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7f9d3821-7e68-4bb8-a189-190e04533a7d": { + "columnOrder": [ + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + ], + "columns": { + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Affected Products", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "m365_defender.vulnerability.affected_machine.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", + "layerType": "data", + "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "w": 8, + "x": 8, + "y": 12 + }, + "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "title": "Total Affected Products [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6a1c3042-4087-44c0-a950-624946feea03", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "59044096-edd2-4c17-9b59-05fcfc384e6b": { + "columnOrder": [ + "ebbe371e-c41c-404a-b40e-b28610cdcab8" + ], + "columns": { + "ebbe371e-c41c-404a-b40e-b28610cdcab8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Public Exploit Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.public_exploit", + "index": "6a1c3042-4087-44c0-a950-624946feea03", + "key": "m365_defender.vulnerability.public_exploit", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.public_exploit": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", + "layerType": "data", + "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8" + } + }, + "title": "Total Public Exploit Vulnerabilities", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.public_exploit", + "index": "logs-*", + "key": "m365_defender.vulnerability.public_exploit", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.public_exploit": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "w": 8, + "x": 8, + "y": 6 + }, + "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "title": "Total Public Exploit Vulnerabilities [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d448b66c-867d-4229-b46b-098a674230f6": { + "columnOrder": [ + "9521f331-1199-450b-9f3d-dc1024c90024" + ], + "columns": { + "9521f331-1199-450b-9f3d-dc1024c90024": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Verified Exploit Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploit_verified", + "index": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "key": "m365_defender.vulnerability.exploit_verified", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploit_verified": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "d448b66c-867d-4229-b46b-098a674230f6", + "layerType": "data", + "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024" + } + }, + "title": "Total Verified Exploit Vulnerabilities", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.exploit_verified", + "index": "logs-*", + "key": "m365_defender.vulnerability.exploit_verified", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.vulnerability.exploit_verified": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft 365 Defender] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "693c18a1-a856-4f59-a87e-6f58ecb73834": { + "columnOrder": [ + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", + "689d4347-c58d-469b-8703-104286c8497a" + ], + "columns": { + "689d4347-c58d-469b-8703-104286c8497a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerability Updated On Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": true, + "includeEmptyRows": true, + "interval": "30d" + }, + "scale": "interval", + "sourceField": "m365_defender.vulnerability.updated_on" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "689d4347-c58d-469b-8703-104286c8497a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Vulnerabilities time line over First Seen", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "d50a1111-11a2-4540-b788-dd116022b873", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", + "title": "Vulnerability over Time [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { + "columnOrder": [ + "4ab972e9-380a-426c-98e1-7acd0b9125d1", + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], + "columns": { + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "4ab972e9-380a-426c-98e1-7acd0b9125d1": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerabillity First Seen", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": true, + "includeEmptyRows": false, + "interval": "5m" + }, + "scale": "interval", + "sourceField": "m365_defender.vulnerability.first_detected" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"m365_defender.vulnerability\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "legendStats": [], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Vulnerabilities over Time", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"m365_defender.vulnerability\"" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "w": 24, + "x": 8, + "y": 18 + }, + "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "title": "Vulnerability over First Seen [Logs Microsoft 365 Defender]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "columnOrder": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "columns": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Vulnerability ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vulnerability.severity" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Critical" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "High" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Medium" + ] + }, + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by Severity", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "50be5d33-6110-4584-8163-29335c338697", + "w": 16, + "x": 32, + "y": 18 + }, + "panelIndex": "50be5d33-6110-4584-8163-29335c338697", + "title": "Vulnerability by Severity [Logs Microsoft 365 Defender] ", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 35, + "i": "72697a0d-690e-496e-9809-389acd1c5cc6", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", + "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "title": "Table of Contents", + "type": "visualization" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-4h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Microsoft 365 Defender] Vulnerability", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T07:27:52.075Z", + "id": "m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", + "name": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406:panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "type": "search" + }, + { + "id": "m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, + { + "id": "logs-*", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2bb8f3a4-3123-413d-aacc-2e7c2721b468:indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:6a1c3042-4087-44c0-a950-624946feea03", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_496b8374-9f81-43cb-9cbd-cc5859043d5e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ee7a009c-c029-4f58-b54d-71fbdf297630:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_a5663e6a-f7f7-4e77-ae24-5b54abad99d2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json index f47c5af7247..651cf9b0634 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c.json @@ -3,8 +3,87 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"007a099d-f3bc-4c46-a48e-629e06a614e4\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"007a099d-f3bc-4c46-a48e-629e06a614e4\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}},\"d441e8a1-87f4-46b1-8dff-bf9bb88762d3\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d441e8a1-87f4-46b1-8dff-bf9bb88762d3\",\"fieldName\":\"m365_defender.event.category\",\"title\":\"Event Type\",\"enhancements\":{}}},\"6fa76f5f-16ed-4419-8b16-fe5581d21067\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6fa76f5f-16ed-4419-8b16-fe5581d21067\",\"fieldName\":\"host.os.full\",\"title\":\"OS Platform\",\"enhancements\":{}}},\"175fd1a8-7429-4e56-853b-057b124121de\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"175fd1a8-7429-4e56-853b-057b124121de\",\"fieldName\":\"host.type\",\"title\":\"Device Type\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "6483d32d-ff98-48fc-861a-3390cbeba7f3": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.type", + "id": "6483d32d-ff98-48fc-861a-3390cbeba7f3", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Device Type" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "708eb92f-f16b-4318-aee5-01d1dd4aa4cf": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.os.full", + "id": "708eb92f-f16b-4318-aee5-01d1dd4aa4cf", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "OS Platform" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "ddaa296a-509d-4a7f-936f-a4b7be2b7bd8": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.name", + "id": "ddaa296a-509d-4a7f-936f-a4b7be2b7bd8", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Hostname" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "f3f94dd3-8822-447f-8735-5d17c7dced70": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.category", + "id": "f3f94dd3-8822-447f-8735-5d17c7dced70", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender Device Events.", "kibanaSavedObjectMeta": { @@ -26,7 +105,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +126,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n**[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c)** \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incident Events](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Log Events](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Device type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream.\n\nThe supported event types are:\n- AdvancedHunting-DeviceEvents\n- AdvancedHunting-DeviceFileCertificateInfo\n- AdvancedHunting-DeviceFileEvents\n- AdvancedHunting-DeviceImageLoadEvents\n- AdvancedHunting-DeviceInfo\n- AdvancedHunting-DeviceLogonEvents\n- AdvancedHunting-DeviceNetworkEvents\n- AdvancedHunting-DeviceNetworkInfo\n- AdvancedHunting-DeviceProcessEvents\n- AdvancedHunting-DeviceRegistryEvents", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n**Device Events** \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incident Events](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Log Events](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard visualizes Device type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream.\n\nThe supported event types are:\n- AdvancedHunting-DeviceEvents\n- AdvancedHunting-DeviceFileCertificateInfo\n- AdvancedHunting-DeviceFileEvents\n- AdvancedHunting-DeviceImageLoadEvents\n- AdvancedHunting-DeviceInfo\n- AdvancedHunting-DeviceLogonEvents\n- AdvancedHunting-DeviceNetworkEvents\n- AdvancedHunting-DeviceNetworkInfo\n- AdvancedHunting-DeviceProcessEvents\n- AdvancedHunting-DeviceRegistryEvents\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +143,7 @@ }, "panelIndex": "87171286-8e9b-4ee6-9669-02a89ac76bbc", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -256,8 +338,7 @@ }, "panelIndex": "eef7f556-05f9-4b08-bc1a-f87957c5919d", "title": "Unique Devices", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -300,6 +381,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -418,8 +500,7 @@ }, "panelIndex": "d2da5421-b966-4fa6-9f0b-67cf5699fe07", "title": "Devices Not Onboarded", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -462,6 +543,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -550,8 +632,7 @@ }, "panelIndex": "4cdcfcff-9592-43e6-abf5-cba2e4b82e1e", "title": "Devices Onboarded", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -594,6 +675,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -714,8 +796,7 @@ }, "panelIndex": "bdad135a-5476-4fa5-b9e2-49abeba859ab", "title": "Files Signed", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -758,6 +839,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -878,8 +960,7 @@ }, "panelIndex": "43d8b62e-e75c-4bd4-9803-6218cf8e4f28", "title": "Files Unsigned", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -922,6 +1003,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -1042,8 +1124,7 @@ }, "panelIndex": "570f73ac-a3af-48ee-849c-1b64e737b002", "title": "Files Trusted", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1086,6 +1167,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -1206,8 +1288,7 @@ }, "panelIndex": "69254ab7-fc20-4db8-952e-76e4f2ffa4e9", "title": "Files Untrusted", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1249,6 +1330,7 @@ "format": { "id": "number", "params": { + "compact": true, "decimals": 2 } } @@ -1410,8 +1492,7 @@ }, "panelIndex": "0a439ec0-b0dd-41df-b1de-b761b68d6ffb", "title": "Unique Domains", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1681,8 +1762,7 @@ }, "panelIndex": "7cd71879-68ac-454b-a135-c6bacac2d77f", "title": "Distribution of Device Events by Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1953,8 +2033,7 @@ }, "panelIndex": "12d3fd1a-bd2b-4612-84ba-aa2bb2060d78", "title": "Distribution of Device Events by Protocol", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2086,8 +2165,7 @@ }, "panelIndex": "3a2f0c3d-bd6d-44e4-b6c3-25d7f55dd608", "title": "Distribution of Device by Device Logon Type", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2290,8 +2368,7 @@ }, "panelIndex": "de11f567-5bec-4717-a49c-98f6e34250e5", "title": "Distribution of Device Type by Device Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2415,8 +2492,7 @@ }, "panelIndex": "9c2c457e-9421-42e0-a162-011ea5beea7e", "title": "Top 10 Certificate Issuer", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2540,8 +2616,7 @@ }, "panelIndex": "8dead8f3-eb81-4f31-80f3-6f839fd1e949", "title": "Top 10 Failure Reason for Action Failed", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2773,11 +2848,11 @@ }, "panelIndex": "a9117849-31e0-4fb5-8750-3545eb3cb61c", "title": "Distribution of Device Events by OS Platform", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { + "description": "", "enhancements": {}, "hidePanelTitles": false }, @@ -2791,20 +2866,17 @@ "panelIndex": "74765bd4-91fc-4fc6-940b-86d66ba812ef", "panelRefName": "panel_74765bd4-91fc-4fc6-940b-86d66ba812ef", "title": "Endpoint Status", - "type": "search", - "version": "8.7.1" + "type": "search" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Device Events", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T09:13:50.534Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -3018,24 +3090,35 @@ }, { "id": "logs-*", - "name": "controlGroup_007a099d-f3bc-4c46-a48e-629e06a614e4:optionsListDataView", + "name": "controlGroup_ee6ef237-fb12-4e41-9986-d8f0d0724a01:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_d441e8a1-87f4-46b1-8dff-bf9bb88762d3:optionsListDataView", + "name": "controlGroup_75c45205-c46b-45b7-858f-ff74d0d3fc30:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_6fa76f5f-16ed-4419-8b16-fe5581d21067:optionsListDataView", + "name": "controlGroup_cc9c3303-9867-43f1-8c4f-3b8c5800f3b3:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_175fd1a8-7429-4e56-853b-057b124121de:optionsListDataView", + "name": "controlGroup_d393f828-a72a-4cbd-a203-1604dd0868e1:optionsListDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json index 3c3aae70729..cd2334a6e8b 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c.json @@ -3,8 +3,87 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"6d8444c4-a17b-46fa-b942-248cdffc0d04\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6d8444c4-a17b-46fa-b942-248cdffc0d04\",\"fieldName\":\"host.name\",\"title\":\"Device\",\"enhancements\":{}}},\"63481d94-05b9-4bb5-afc9-3d77d86dfea3\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"63481d94-05b9-4bb5-afc9-3d77d86dfea3\",\"fieldName\":\"m365_defender.event.application\",\"title\":\"Application\",\"enhancements\":{}}},\"22ed2462-d641-464c-94ee-955dfbce0a1d\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"22ed2462-d641-464c-94ee-955dfbce0a1d\",\"fieldName\":\"host.type\",\"title\":\"Device Type\",\"enhancements\":{}}},\"fdde8f41-b6db-435a-8128-3aee80ee3d3f\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fdde8f41-b6db-435a-8128-3aee80ee3d3f\",\"fieldName\":\"m365_defender.event.action.type\",\"title\":\"Action Type\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "0cc22091-cdfe-438a-9862-3abe3a5bd70d": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.name", + "id": "0cc22091-cdfe-438a-9862-3abe3a5bd70d", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Device" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "23922902-bb87-4371-b685-ab920615f2a3": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.type", + "id": "23922902-bb87-4371-b685-ab920615f2a3", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Device Type" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "7bae90a1-a3eb-4d51-b578-7e8e90ed0585": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.action.type", + "id": "7bae90a1-a3eb-4d51-b578-7e8e90ed0585", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Action Type" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "97e71696-8315-45fe-b91a-2ee4c0aa9c53": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.event.application", + "id": "97e71696-8315-45fe-b91a-2ee4c0aa9c53", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Application" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender App \u0026 Identity Events.", "kibanaSavedObjectMeta": { @@ -26,7 +105,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +126,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n**[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c)** \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes CloudApp and Identity type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream. \n\nThe supported event types are:\n- AdvancedHunting-IdentityDirectoryEvents\n- AdvancedHunting-IdentityLogonEvents\n- AdvancedHunting-IdentityQueryEvents\n- AdvancedHunting-CloudAppEvents\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n**App \u0026 Identity Events** \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard visualizes CloudApp and Identity type events according to the [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide). \nThe data is collected from a configured Event Hub, using the M365 Defender Event datastream. \n\nThe supported event types are:\n- AdvancedHunting-IdentityDirectoryEvents\n- AdvancedHunting-IdentityLogonEvents\n- AdvancedHunting-IdentityQueryEvents\n- AdvancedHunting-CloudAppEvents\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +143,7 @@ }, "panelIndex": "13f8e133-60be-4cd8-9c2e-85a29df58f4b", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -213,8 +295,7 @@ }, "panelIndex": "b2f500b5-ac94-44b7-94e4-7321d9219bde", "title": "Unique Devices", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -409,8 +490,7 @@ }, "panelIndex": "af17ce71-1d52-4e54-bbd8-17fba8f77f41", "title": "Distribution of App and Identity Events by Device Type", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -596,8 +676,7 @@ }, "panelIndex": "9a94aefa-34e6-47ea-baea-c73de0c92d1d", "title": "Distribution of App and Identity Events by Application", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -749,8 +828,7 @@ }, "panelIndex": "ac91d103-a220-42fa-89df-573e85e381d4", "title": "Unique Applications", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -931,8 +1009,7 @@ }, "panelIndex": "4e8ac33a-12e8-4f6f-8d7d-1fc25589bc99", "title": "Top 10 Failure Reason for Action Failed", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1113,8 +1190,7 @@ }, "panelIndex": "2d53c4f6-39e7-456a-ad38-c0a28349854a", "title": "Top 10 Action Type that Triggered the Identity Events", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1329,8 +1405,7 @@ }, "panelIndex": "9026565f-e4e4-4648-88a0-b69e8fa1f190", "title": "Distribution of App and Identity Events by OS Platform", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1516,8 +1591,7 @@ }, "panelIndex": "883f9d41-b2dc-43f5-a880-55af54651f72", "title": "Distribution of App and Identity Events by Category", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1703,20 +1777,17 @@ }, "panelIndex": "0a57d124-a25c-4e66-9cf3-c29f6e7734b5", "title": "Distribution of Identity Events by Logon Type", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] App \u0026 Identity Events", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T09:11:12.088Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-d587df00-745f-11ed-8657-c59f6ece834c", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -1850,24 +1921,35 @@ }, { "id": "logs-*", - "name": "controlGroup_6d8444c4-a17b-46fa-b942-248cdffc0d04:optionsListDataView", + "name": "controlGroup_0bef957d-efec-4a22-b42c-f34b74bb710d:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_63481d94-05b9-4bb5-afc9-3d77d86dfea3:optionsListDataView", + "name": "controlGroup_8af65dc8-130f-4bc1-b477-7add1d9157e5:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_22ed2462-d641-464c-94ee-955dfbce0a1d:optionsListDataView", + "name": "controlGroup_7e5b04d6-bf45-4597-bb91-d1839f27910c:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_fdde8f41-b6db-435a-8128-3aee80ee3d3f:optionsListDataView", + "name": "controlGroup_c0730ca8-83e1-40c2-ae24-286f12b85a79:optionsListDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json index adc25858a52..8301de25d73 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json @@ -3,8 +3,82 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\",\"fieldName\":\"event.provider\",\"title\":\"Service Source\",\"enhancements\":{}}},\"ec5d23b5-535c-483a-88ad-279762f3d5ca\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ec5d23b5-535c-483a-88ad-279762f3d5ca\",\"fieldName\":\"m365_defender.alert.detection_source\",\"title\":\"Detection Source\",\"enhancements\":{},\"selectedOptions\":[]}},\"cef3df17-225a-4373-a231-caa594cd1bf4\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"cef3df17-225a-4373-a231-caa594cd1bf4\",\"fieldName\":\"m365_defender.alert.evidence.roles\",\"title\":\"Evidence Role\",\"enhancements\":{},\"selectedOptions\":[]}},\"23cace2f-34ed-4efa-bed4-ccdc7318dfb8\":{\"type\":\"rangeSliderControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"23cace2f-34ed-4efa-bed4-ccdc7318dfb8\",\"fieldName\":\"event.severity\",\"title\":\"event.severity\",\"enhancements\":{}}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "4c2c0f9a-e2b8-4f9d-881c-d5a5872974b0": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.alert.detection_source", + "id": "4c2c0f9a-e2b8-4f9d-881c-d5a5872974b0", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Detection Source" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "6b9fd43c-4c5c-41b1-aad5-609fe0012dbe": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.severity", + "id": "6b9fd43c-4c5c-41b1-aad5-609fe0012dbe", + "step": 1, + "title": "event.severity" + }, + "grow": true, + "order": 3, + "type": "rangeSliderControl", + "width": "medium" + }, + "9afd598a-5f64-4f09-ab3a-534007747c89": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.provider", + "id": "9afd598a-5f64-4f09-ab3a-534007747c89", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Service Source" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "f87dc53c-572a-43ec-9874-2ae77b75c7fb": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "m365_defender.alert.evidence.roles", + "id": "f87dc53c-572a-43ec-9874-2ae77b75c7fb", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Evidence Role" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "Overview of Microsoft 365 Defender Alerts", "kibanaSavedObjectMeta": { @@ -26,7 +100,11 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "hidePanelTitles": false, "savedVis": { "data": { @@ -43,7 +121,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n**[Alert](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03)** \n\n#### Description\n\nThis dashboard showcases various alert metrics, including counts for new, in-progress, resolved, assigned, and unassigned alerts. It categorizes alerts by severity, category, determination, and service source. The display features top 10 email sender IPs with suspicious or malicious verdicts, leading detection sources, a timeline of alerts, a table highlighting top MITRE techniques, the top 10 compromised user accounts, the most attacked devices, and concludes with essential details of the alerts.\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n**Alert**\n\n#### Rest API Datastream \n[Vulnerability](#/dashboard/m365_defender-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n#### Description\n\nThis dashboard showcases various alert metrics, including counts for new, in-progress, resolved, assigned, and unassigned alerts. It categorizes alerts by severity, category, determination, and service source. The display features top 10 email sender IPs with suspicious or malicious verdicts, leading detection sources, a timeline of alerts, a table highlighting top MITRE techniques, the top 10 compromised user accounts, the most attacked devices, and concludes with essential details of the alerts.\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n\n", "openLinksInNewTab": false }, "title": "", @@ -60,8 +138,7 @@ }, "panelIndex": "5852497b-14e8-4c1e-a9ab-fc387a3ae672", "title": "Table of Contents", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -216,8 +293,7 @@ }, "panelIndex": "8ed4553a-d396-4ad7-b247-10e005d65086", "title": "Alert Counts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -353,8 +429,7 @@ }, "panelIndex": "00c0b388-64b8-49c8-9ccb-de8e58030b4d", "title": "Alerts by Severity [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -495,8 +570,7 @@ }, "panelIndex": "8e4019a0-6594-4eaf-9358-c343b72aba84", "title": "Alerts by Category [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -659,8 +733,7 @@ }, "panelIndex": "1f836fdc-61f4-4cf4-a392-50276a2b77f1", "title": "Alerts by Determination [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -801,8 +874,7 @@ }, "panelIndex": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae", "title": "Alerts by Service Source [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -992,8 +1064,7 @@ }, "panelIndex": "6847c21e-2ec0-4af4-aa67-ec52b181b05e", "title": "Top 10 Email Sender IP with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1124,8 +1195,7 @@ }, "panelIndex": "51f47e38-eed6-42b3-8096-a39b914909da", "title": "Top 10 Detection Source that identified most of the Alerts [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1261,8 +1331,7 @@ }, "panelIndex": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613", "title": "Alerts Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1442,8 +1511,7 @@ }, "panelIndex": "efd3aa63-5879-4383-87e4-6276e38b3c01", "title": "Severity Over Time [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1584,8 +1652,7 @@ }, "panelIndex": "7317b469-4895-497a-a263-14b58eaec52f", "title": "Top Mitre Techniques [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1743,8 +1810,7 @@ }, "panelIndex": "d8b78c44-5d93-4a70-9d3d-0386581082d1", "title": "Top 10 User Account with Compromised Role [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -1930,8 +1996,7 @@ }, "panelIndex": "34673480-15c2-4f75-ae86-637bc6875e78", "title": "Top 10 Process Commands with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -2085,11 +2150,11 @@ }, "panelIndex": "664a1613-6c7e-40cd-91b2-43ce6c451ddb", "title": "Top 10 Most Attacked Device [Logs Microsoft 365 Defender]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { + "description": "", "enhancements": {} }, "gridData": { @@ -2101,20 +2166,18 @@ }, "panelIndex": "b83be89c-7f77-406b-9028-1cfb0eb67e8d", "panelRefName": "panel_b83be89c-7f77-406b-9028-1cfb0eb67e8d", - "type": "search", - "version": "8.7.1" + "title": "Alerts Essential Details [Logs Microsoft 365 Defender]", + "type": "search" } ], "timeRestore": false, "title": "[Logs Microsoft 365 Defender] Alert", - "version": 1 + "version": 3 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2024-01-22T12:09:27.346Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -2273,24 +2336,35 @@ }, { "id": "logs-*", - "name": "controlGroup_5779a7c6-acf5-4f7d-ac4c-caae9517d95e:optionsListDataView", + "name": "controlGroup_5dc65984-bce2-4987-964a-3d2b247268c8:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_ec5d23b5-535c-483a-88ad-279762f3d5ca:optionsListDataView", + "name": "controlGroup_3f1c65a4-3ed4-4977-ad34-87cafb614177:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_cef3df17-225a-4373-a231-caa594cd1bf4:optionsListDataView", + "name": "controlGroup_d58ab84c-4d4c-459b-9685-d8b006f164ae:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_23cace2f-34ed-4efa-bed4-ccdc7318dfb8:rangeSliderDataView", + "name": "controlGroup_65e917f6-06b2-40b7-b3b8-fa281a6c386f:rangeSliderDataView", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json b/packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json new file mode 100644 index 00000000000..e9faa3f8deb --- /dev/null +++ b/packages/m365_defender/kibana/search/m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "columns": [ + "m365_defender.vulnerability.affected_machine.last_seen", + "host.id", + "host.ip", + "host.name", + "vulnerability.id", + "host.os.name", + "host.risk.calculated_level", + "m365_defender.vulnerability.affected_machine.health_status", + "m365_defender.vulnerability.affected_machine.is_potential_duplication" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.vulnerability.affected_machine.id", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "m365_defender.vulnerability.affected_machine.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "m365_defender.vulnerability.affected_machine.id" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "m365_defender.vulnerability.updated_on", + "desc" + ] + ], + "timeRestore": false, + "title": "Affected Machines Essential Details [Logs M365 Defender]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T07:26:10.883Z", + "id": "m365_defender-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json index 3007ec1adea..874cf48898e 100644 --- a/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/search/m365_defender-64a31410-722c-11ed-8657-c59f6ece834c.json @@ -146,12 +146,10 @@ "title": "Endpoint Status [Logs Microsoft 365 Defender]", "usesAdHocDataView": false }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T07:50:09.615Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-64a31410-722c-11ed-8657-c59f6ece834c", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -167,7 +165,18 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json index bbf2717ce1e..4fb4ee3c4b6 100644 --- a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json @@ -53,12 +53,10 @@ "title": "Alerts Essential Details [Logs Microsoft 365 Defender]", "usesAdHocDataView": false }, - "coreMigrationVersion": "8.7.1", - "created_at": "2024-01-22T11:45:09.140Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-989afc60-44a5-11ed-8375-0168a9970c06", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -69,7 +67,18 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json index 69786e318c4..d22611bce63 100644 --- a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json @@ -51,12 +51,10 @@ ], "title": "Incidents Essential Details [Logs Microsoft 365 Defender]" }, - "coreMigrationVersion": "8.7.1", - "created_at": "2024-01-22T11:45:09.140Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-10T09:40:38.999Z", "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -67,7 +65,18 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-m365_defender-security-solution-default", + "type": "tag" + }, + { + "id": "m365_defender-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json b/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json new file mode 100644 index 00000000000..69cba8033e5 --- /dev/null +++ b/packages/m365_defender/kibana/tag/m365_defender-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#F583B7", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-07T11:01:44.111Z", + "id": "m365_defender-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json b/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json new file mode 100644 index 00000000000..3c552701c1e --- /dev/null +++ b/packages/m365_defender/kibana/visualization/m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Table of Contents", + "uiStateJSON": {}, + "version": "1", + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n[Alert](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Rest API Datastream \n**Vulnerability** \n\n#### Description\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft 365 Defender.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, CVE supportability, OS distribution, and essential vulnerability details for deeper analysis.\n\n**[Integration Page](/app/integrations/detail/m365_defender/overview)**\n\n\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "Table of Contents", + "type": "markdown" + } + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T07:26:10.883Z", + "id": "m365_defender-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "managed": true, + "references": [], + "type": "visualization", + "typeMigrationVersion": "8.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 211f742845c..0d07ca87030 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.2.3" +format_version: "3.3.2" name: m365_defender title: Microsoft M365 Defender -version: "3.7.0" +version: "3.8.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" @@ -24,6 +24,9 @@ policy_templates: organization: security division: engineering team: security-service-integrations + resources: + requests: + memory: 4Gi # Due to the large volume of data being processed in memory, a 4 GB allocation is required for agentless deployment-anything less may lead to out-of-memory (OOM) issue. inputs: - type: httpjson title: "Collect logs from M365 Defender API" @@ -118,6 +121,94 @@ policy_templates: - type: azure-eventhub title: "Collect logs from Azure Event Hub" description: "Collect logs from Azure Event Hub" + - type: cel + title: "Collect logs from Microsoft Defender for Endpoint API" + description: "Collecting logs via Microsoft Defender for Endpoint API." + vars: + - name: url + type: text + title: URL + description: By default, the URL is set to `https://api.securitycenter.microsoft.com`. It is observed that M365 Defender Base URL changes based on location so find your own base URL. + multi: false + required: true + show_user: false + default: https://api.securitycenter.microsoft.com + - name: client_id + type: text + title: Client ID + description: Client ID for Azure AD application. + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: Client Secret + secret: true + description: Client Secret for Azure AD application. + multi: false + required: true + show_user: true + - name: azure_tenant_id + type: text + title: Azure Tenant ID + description: Tenant ID of the Azure. + multi: false + required: true + show_user: true + - name: token_url + type: text + title: Oauth2 Token URL + description: The Base URL endpoint that will be used to generate the tokens during the oauth2 flow. If not provided, above `Azure Tenant ID` will be used for oauth2 token generation. + show_user: true + required: false + default: https://login.microsoftonline.com + secret: false + - name: token_scopes + type: text + title: Token Scopes + description: Defines the level of access granted to the API. This scope is required to authenticate and authorize API requests in M365 Defender Vulnerability Management. + multi: true + secret: false + required: true + show_user: false + default: + - "https://securitycenter.onmicrosoft.com/windowsatpservice/.default" + - name: proxy_url + type: text + title: Proxy URL + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + multi: false + required: false + show_user: false + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- icons: - src: /img/logo.svg title: M365 logo @@ -148,6 +239,10 @@ screenshots: title: Microsoft 365 Defender (Events) App & Identity Dashboard size: 600x600 type: image/png + - src: /img/m365-defender-vulnerability.png + title: Microsoft 365 Defender Vulnerability + size: 600x600 + type: image/png owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/microsoft_defender_endpoint/_dev/build/docs/README.md b/packages/microsoft_defender_endpoint/_dev/build/docs/README.md index 2221245a93f..d962a10ac94 100644 --- a/packages/microsoft_defender_endpoint/_dev/build/docs/README.md +++ b/packages/microsoft_defender_endpoint/_dev/build/docs/README.md @@ -2,7 +2,7 @@ This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs. -Microsoft Defender for Endpoint integration collects data for Alert, Machine, and Machine Action logs using REST API. +Microsoft Defender for Endpoint integration collects data for Alert, Machine, Machine Action, and Vulnerability logs using REST API. ## Data streams @@ -11,6 +11,8 @@ This integration collects the following logs: - **[Alert](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts?view=o365-worldwide)** - Retrieves alerts generated by Microsoft Defender for Endpoint. - **[Machine](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines?view=o365-worldwide)** - Retrieves machines that have communicated with Microsoft Defender for Endpoint. - **[Machine Action](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide)** - Retrieves logs of actions carried out on machines. +- **[Vulnerability](https://learn.microsoft.com/en-us/defender-endpoint/api/vulnerability?view=o365-worldwide)** - Retrieves logs of Vulnerability. + ## Requirements @@ -36,6 +38,7 @@ When the application is granted the API permissions listed in the table below, i | Alert | Alert.Read.All | | Machine | Machine.Read.All | | Machine Action | Machine.Read.All | +| Vulnerability | Vulnerability.Read.All, Machine.Read.All | After the application has been created, it should contain 3 values that you need to apply to the module configuration. @@ -53,6 +56,11 @@ These values are: 4. Add all the required integration configuration parameters, including the Client ID, Client Secret, Tenant ID to enable data collection. 5. Select "Save and continue" to save the integration. +### Data Retention and ILM Configuration (For Vulnerability Data Stream) +A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we’ve set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control. + +> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index` + ## ECS mappings | Defender for Endpoint fields | ECS Fields | @@ -122,3 +130,13 @@ This is the `machine action` dataset. {{event "machine_action"}} {{fields "machine_action"}} + +### Vulnerability + +This is the `vulnerability` dataset. + +#### Example + +{{event "vulnerability"}} + +{{fields "vulnerability"}} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml b/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml index ee7d13b9207..025a06b25b6 100644 --- a/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml +++ b/packages/microsoft_defender_endpoint/_dev/deploy/docker/docker-compose.yml @@ -18,3 +18,16 @@ services: - http-server - --addr=:8080 - --config=/config.yml + microsoft-defender-endpoint-vulnerability-cel: + image: docker.elastic.co/observability/stream:v0.15.0 + ports: + - 8080 + volumes: + - ./vulnerability-http-mock-config.yml:/config.yml + environment: + PORT: 8080 + command: + - http-server + - --exit-on-unmatched-rule + - --addr=:8080 + - --config=/config.yml diff --git a/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml b/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml new file mode 100644 index 00000000000..8b12306ff7c --- /dev/null +++ b/packages/microsoft_defender_endpoint/_dev/deploy/docker/vulnerability-http-mock-config.yml @@ -0,0 +1,465 @@ +rules: + - path: /tenant_id/oauth2/v2.0/token + methods: [POST] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"xxxx"} + - path: /api/vulnerabilities/machinesVulnerabilities + methods: ['GET'] + query_params: + $top: 10000 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)", + "@odata.count": 5, + "value": [ + { + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "cveId": "CVE-2025-3074", + "machineId": "94819846155826828d1603b913c67fe336d81295", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "134.0.3124.72", + "severity": "Medium" + }, + { + "id": "c473dc518718ab3d14ced2bd0870665a533070e0-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", + "cveId": "CVE-2025-3074", + "machineId": "c473dc518718ab3d14ced2bd0870665a533070e0", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "133.0.3065.92", + "severity": "Medium" + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-microsoft-_-edge_chromium-based-_-133.0.3065.92-_-", + "cveId": "CVE-2025-3073", + "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "fixingKbId": null, + "productName": "edge_chromium-based", + "productVendor": "microsoft", + "productVersion": "133.0.3065.92", + "severity": "Medium" + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67-_-CVE-2025-3073-_-google-_-chrome-_-134.0.6998.118-_-", + "cveId": "CVE-2025-3073", + "machineId": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "fixingKbId": null, + "productName": "chrome", + "productVendor": "google", + "productVersion": "134.0.6998.118", + "severity": "Medium" + }, + { + "id": "6825811b97340ed50d858e6285c7a7878248ca75-_-CVE-2025-26635-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "cveId": "CVE-2025-26635", + "machineId": "6825811b97340ed50d858e6285c7a7878248ca75", + "fixingKbId": "5055518", + "productName": "windows_10", + "productVendor": "microsoft", + "productVersion": "10.0.19045.5011", + "severity": "Medium" + } + ] + } + `}} + - path: /api/machines + methods: ['GET'] + query_params: + $top: 10000 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", + "value": [ + { + "id": "94819846155826828d1603b913c67fe336d81295", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "firstSeen": "2025-01-08T13:05:05.3483549Z", + "lastSeen": "2025-01-08T13:15:03.694371Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "175.16.199.0", + "lastExternalIpAddress": "1.128.0.0", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": ["test tag"], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "216.160.83.56", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "c473dc518718ab3d14ced2bd0870665a533070e0", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-a415f17e-ce8d-4ce2-a8b4-83b674e7017e", + "firstSeen": "2025-01-09T20:29:06.2413437Z", + "lastSeen": "2025-01-09T20:57:23.4538904Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.142", + "lastExternalIpAddress": "81.2.69.144", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a02:cf40::", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "c4ca2eb56d52f0a9378d3265541ba02403b76d67", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-1602ff76-ed7f-4c94-b550-2f727b4782d4", + "firstSeen": "2025-01-09T14:01:35.8022227Z", + "lastSeen": "2025-01-09T14:22:34.8819165Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.192", + "lastExternalIpAddress": "89.160.20.112", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "None", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a02:cf40::", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "6825811b97340ed50d858e6285c7a7878248ca75", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-ab4d04af-68dc-4fee-9c16-6545265b3276", + "firstSeen": "2025-01-09T06:29:21.587607Z", + "lastSeen": "2025-01-09T06:56:38.3119183Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "81.2.69.192", + "lastExternalIpAddress": "89.160.20.112", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "Medium", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": ["test"], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "81.2.69.192", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + }, + { + "id": "08a037be5ffcf0e85c0817a202a95e86dbb65124", + "mergedIntoMachineId": null, + "isPotentialDuplication": false, + "isExcluded": false, + "exclusionReason": null, + "computerDnsName": "bdp3449-ub20-2-3a95cdb2-c6ea-4761-b24e-02b71889b8bb", + "firstSeen": "2025-01-09T07:29:19.0754397Z", + "lastSeen": "2025-01-09T07:54:33.335749Z", + "osPlatform": "Ubuntu", + "osVersion": null, + "osProcessor": "x64", + "version": "20.4", + "lastIpAddress": "67.43.156.0", + "lastExternalIpAddress": "175.16.199.0", + "agentVersion": "30.124092.2.0", + "osBuild": 6, + "healthStatus": "Inactive", + "deviceValue": "Normal", + "rbacGroupId": 0, + "rbacGroupName": null, + "riskScore": "High", + "exposureLevel": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [], + "onboardingStatus": "Onboarded", + "osArchitecture": "64-bit", + "managedBy": "MicrosoftDefenderForEndpoint", + "managedByStatus": "Success", + "ipAddresses": [ + { + "ipAddress": "67.43.156.0", + "macAddress": "000C2910F1DA", + "type": "Other", + "operationalStatus": "Up" + } + ], + "vmMetadata": null + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 0 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 2, + "value": [ + { + "id": "CVE-2025-3074", + "name": "CVE-2025-3074", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 2, + "publishedOn": "2025-04-01T00:00:00Z", + "updatedOn": "2025-04-08T00:00:00Z", + "firstDetected": "2025-04-01T19:52:39Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": ["test"], + "epss": 0.00111 + }, + { + "id": "CVE-2025-3073", + "name": "CVE-2025-3073", + "description": "Summary: An inappropriate implementation in the Autofill feature of Google Chrome versions prior to 135.0.7049.52 allows a remote attacker to perform UI spoofing by convincing a user to interact with a crafted HTML page. This vulnerability is categorized with a Chromium security severity rating of Low. Impact: Exploitation of this vulnerability could enable an attacker to bypass security restrictions, potentially leading to unauthorized actions or data exposure. AdditionalInformation: This vulnerability is also relevant to Microsoft Edge (Chromium-based), as it ingests Chromium. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 1, + "publishedOn": "2025-04-01T00:00:00Z", + "updatedOn": "2025-04-08T00:00:00Z", + "firstDetected": "2025-04-01T19:52:39Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": ["test"], + "epss": 0.00111 + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 2 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 2, + "value": [ + { + "id": "CVE-2025-26635", + "name": "CVE-2025-26635", + "description": "Summary: A vulnerability in Windows Hellos authentication mechanism permits an authorized attacker to bypass its security feature remotely over a network. Impact: Exploitation of this vulnerability could allow unauthorized access to systems, potentially leading to data breaches or further network compromise. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "severity": "Medium", + "cvssV3": 6.5, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C", + "exposedMachines": 1, + "publishedOn": "2025-04-08T07:00:00Z", + "updatedOn": "2025-04-09T20:03:01.577Z", + "firstDetected": "2025-04-08T18:00:48Z", + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "Supported", + "tags": [], + "epss": 0.00052 + }, + { + "id": "CVE-2025-3437", + "name": "CVE-2025-3437", + "description": "Summary: The Motors – Car Dealership & Classified Listings Plugin for WordPress contains a vulnerability in its ajax_actions.php file, where several functions lack proper capability checks. This flaw exists in all versions up to and including 1.4.66, allowing authenticated attackers with Subscriber-level access or higher to perform unauthorized data modifications. Impact: Exploitation of this vulnerability could lead to unauthorized changes to the plugins setup, potentially compromising the integrity of the affected WordPress site. Remediation: Upgrade to a version of Stylemixthemes Motors - Car Dealer, Classifieds & Listing later than 1.4.66. [Generated by AI]", + "severity": "Medium", + "cvssV3": 4.3, + "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "exposedMachines": 0, + "publishedOn": "2025-04-08T10:15:19.413Z", + "updatedOn": "2025-04-08T18:13:53.347Z", + "firstDetected": null, + "patchFirstAvailable": null, + "publicExploit": false, + "exploitVerified": false, + "exploitInKit": false, + "exploitTypes": [], + "exploitUris": [], + "cveSupportability": "NotSupported", + "tags": [], + "epss": 0.00025 + } + ] + } + `}} + - path: /api/vulnerabilities + methods: ['GET'] + query_params: + $top: 2 + $skip: 4 + request_headers: + Authorization: + - "Bearer xxxx" + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {{ minify_json ` + { + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities", + "@odata.count": 0, + "value": [] + } + `}} + \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index 95d833f436e..b74572b776e 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.38.0" + changes: + - description: Add vulnerability data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/13595 - version: "2.37.0" changes: - description: Map `microsoft_defender_endpoint.machine.aad_device_id` to `device.id`. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..284a400f443 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +fields: + tags: + - preserve_duplicate_custom_fields +dynamic_fields: + "event.id": ".*" \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log new file mode 100644 index 00000000000..6dedf0fedc1 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log @@ -0,0 +1,4 @@ +{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154} +{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"} +{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029} +{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json new file mode 100644 index 00000000000..a7c00dfab7b --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json @@ -0,0 +1,558 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_--2025-05-27T10:43:44.995353005Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"id\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-\",\"cveId\":\"CVE-2024-11168\",\"machineId\":\"86c0491db8ff7e8dcad520288b7759fa27793ce1\",\"fixingKbId\":null,\"productName\":\"python-unversioned-command_for_linux\",\"productVendor\":\"red_hat\",\"productVersion\":\"0:3.9.18-3.el9_4.6\",\"severity\":\"Medium\",\"mergedIntoMachineId\":null,\"isPotentialDuplication\":false,\"isExcluded\":false,\"exclusionReason\":null,\"computerDnsName\":\"C-Lab-33\",\"firstSeen\":\"2024-11-06T09:57:53.476232Z\",\"lastSeen\":\"2025-05-12T04:13:23.7778534Z\",\"osPlatform\":\"RedHatEnterpriseLinux\",\"osVersion\":null,\"osProcessor\":\"x64\",\"version\":\"9.4\",\"lastIpAddress\":\"89.160.20.112\",\"lastExternalIpAddress\":\"175.16.199.0\",\"agentVersion\":\"30.124082.4.0\",\"osBuild\":null,\"healthStatus\":\"Active\",\"deviceValue\":\"Normal\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"High\",\"exposureLevel\":\"High\",\"isAadJoined\":false,\"aadDeviceId\":null,\"machineTags\":[\"C-Lab-Linux\"],\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"ipAddresses\":[{\"ipAddress\":\"89.160.20.112\",\"macAddress\":\"00505681A42F\",\"type\":\"Other\",\"operationalStatus\":\"Up\"},{\"ipAddress\":\"67.43.156.0\",\"macAddress\":\"000000000000\",\"type\":\"Other\",\"operationalStatus\":\"Up\"}],\"vmMetadata\":null},\"id\":\"CVE-2024-11168\",\"name\":\"CVE-2024-11168\",\"description\":\"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.3,\"cvssVector\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X\",\"exposedMachines\":2,\"publishedOn\":\"2023-04-25T16:00:00Z\",\"updatedOn\":\"2025-04-11T22:15:28.96Z\",\"firstDetected\":\"2025-05-02T05:36:57Z\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[\"Remote\"],\"exploitUris\":[],\"cveSupportability\":\"Supported\",\"tags\":[],\"epss\":0.00154}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "hostname": "C-Lab-33", + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "ip": [ + "175.16.199.0" + ], + "name": "C-Lab-33", + "os": { + "name": "RedHatEnterpriseLinux 9.4", + "platform": "RedHatEnterpriseLinux", + "type": "linux", + "version": "9.4" + }, + "risk": { + "calculated_level": "High" + } + }, + "message": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124082.4.0", + "computer_dns_name": "C-Lab-33", + "device_value": "Normal", + "exposure_level": "High", + "first_seen": "2024-11-06T09:57:53.476Z", + "health_status": "Active", + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-", + "ip_addresses": [ + { + "ip_address": "89.160.20.112", + "mac_address": "00-50-56-81-A4-2F", + "operational_status": "Up", + "type": "Other" + }, + { + "ip_address": "67.43.156.0", + "mac_address": "00-00-00-00-00-00", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "175.16.199.0", + "last_ip_address": "89.160.20.112", + "last_seen": "2025-05-12T04:13:23.777Z", + "machine_id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "machine_tags": [ + "C-Lab-Linux" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_platform": "RedHatEnterpriseLinux", + "os_processor": "x64", + "product_name": "python-unversioned-command_for_linux", + "product_vendor": "red_hat", + "product_version": "0:3.9.18-3.el9_4.6", + "rbac_group_id": "0", + "risk_score": "High", + "severity": "Medium", + "version": "9.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.3, + "cvss_vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X", + "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "epss": 0.00154, + "exploit_in_kit": false, + "exploit_types": [ + "Remote" + ], + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-05-02T05:36:57.000Z", + "id": "CVE-2024-11168", + "impact": "Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data.", + "name": "CVE-2024-11168", + "public_exploit": false, + "published_on": "2023-04-25T16:00:00.000Z", + "remediation": "Upgrade to Python version 3.9.21 or later.", + "severity": "Medium", + "updated_on": "2025-04-11T22:15:28.960Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "fixed_version": "3.9.21", + "name": "python-unversioned-command_for_linux", + "version": "0:3.9.18-3.el9_4.6" + }, + "related": { + "hosts": [ + "C-Lab-33", + "86c0491db8ff7e8dcad520288b7759fa27793ce1" + ], + "ip": [ + "89.160.20.112", + "67.43.156.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "86c0491db8ff7e8dcad520288b7759fa27793ce1", + "name": "C-Lab-33" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2024-11168", + "published_date": "2023-04-25T16:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2024-11168", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.3 + }, + "severity": "Medium", + "title": "Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518-2025-05-27T10:43:44.995409024Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":\"79dc383d-1ba1-4ac9-9dca-792e881a5034\",\"agentVersion\":\"10.8760.19045.5011\",\"computerDnsName\":\"c-lab-14\",\"cveId\":\"CVE-2025-24062\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"High\",\"firstSeen\":\"2024-11-05T11:55:28.5899758Z\",\"fixingKbId\":\"5055518\",\"healthStatus\":\"Active\",\"id\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518\",\"ipAddresses\":[{\"ipAddress\":\"1.128.0.0\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"2a02:cf40::\",\"macAddress\":\"00505683B889\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"},{\"ipAddress\":\"81.2.69.192\",\"macAddress\":null,\"operationalStatus\":\"Up\",\"type\":\"SoftwareLoopback\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"89.160.20.112\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-04-21T08:24:41.3833512Z\",\"machineId\":\"fd43e5b3ba69b8ecffb165017d9c8687f24e246a\",\"machineTags\":[],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"windows_10\",\"productVendor\":\"microsoft\",\"productVersion\":\"10.0.19045.5011\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7.8,\"cvssVector\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00073,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":7,\"firstDetected\":\"2025-04-08T18:00:48Z\",\"id\":\"CVE-2025-24062\",\"name\":\"CVE-2025-24062\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-08T07:00:00Z\",\"severity\":\"High\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-09T20:03:01.577Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "hostname": "c-lab-14", + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "ip": [ + "89.160.20.112" + ], + "name": "c-lab-14", + "os": { + "name": "Windows10 22H2", + "platform": "Windows10", + "type": "windows", + "version": "22H2" + }, + "risk": { + "calculated_level": "None" + } + }, + "message": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "affected_machine": { + "aad_device_id": "79dc383d-1ba1-4ac9-9dca-792e881a5034", + "agent_version": "10.8760.19045.5011", + "computer_dns_name": "c-lab-14", + "device_value": "Normal", + "exposure_level": "High", + "first_seen": "2024-11-05T11:55:28.589Z", + "fixing_kb_id": "5055518", + "health_status": "Active", + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518", + "ip_addresses": [ + { + "ip_address": "1.128.0.0", + "mac_address": "00-50-56-83-B8-89", + "operational_status": "Up", + "type": "Ethernet" + }, + { + "ip_address": "2a02:cf40::", + "mac_address": "00-50-56-83-B8-89", + "operational_status": "Up", + "type": "Ethernet" + }, + { + "ip_address": "81.2.69.192", + "operational_status": "Up", + "type": "SoftwareLoopback" + } + ], + "is_aad_joined": true, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "89.160.20.112", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-04-21T08:24:41.383Z", + "machine_id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "managed_by": "Intune", + "managed_by_status": "Unknown", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 19045, + "os_platform": "Windows10", + "os_processor": "x64", + "product_name": "windows_10", + "product_vendor": "microsoft", + "product_version": "10.0.19045.5011", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "High", + "version": "22H2" + }, + "cve_supportability": "Supported", + "cvss_v3": 7.8, + "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 7.3E-4, + "exploit_in_kit": false, + "exploit_types": [ + "PrivilegeEscalation" + ], + "exploit_verified": false, + "exposed_machines": 7, + "first_detected": "2025-04-08T18:00:48.000Z", + "id": "CVE-2025-24062", + "impact": "Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity.", + "name": "CVE-2025-24062", + "public_exploit": false, + "published_on": "2025-04-08T07:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "High", + "tags": [ + "test" + ], + "updated_on": "2025-04-09T20:03:01.577Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "windows_10", + "version": "10.0.19045.5011" + }, + "related": { + "hosts": [ + "79dc383d-1ba1-4ac9-9dca-792e881a5034", + "c-lab-14", + "fd43e5b3ba69b8ecffb165017d9c8687f24e246a" + ], + "ip": [ + "1.128.0.0", + "2a02:cf40::", + "81.2.69.192", + "89.160.20.112", + "175.16.199.0" + ] + }, + "resource": { + "id": "fd43e5b3ba69b8ecffb165017d9c8687f24e246a", + "name": "c-lab-14" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-24062", + "published_date": "2025-04-08T07:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-24062", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 7.8 + }, + "severity": "High", + "title": "An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "CVE-2025-47828-2025-05-27T10:43:44.995424098Z", + "kind": "event", + "original": "{\"affectedMachine\":null,\"id\":\"CVE-2025-47828\",\"name\":\"CVE-2025-47828\",\"description\":\"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]\",\"severity\":\"Medium\",\"cvssV3\":6.4,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C\",\"exposedMachines\":0,\"publishedOn\":\"2025-05-11T00:00:00Z\",\"updatedOn\":\"2025-05-12T20:50:07Z\",\"firstDetected\":null,\"patchFirstAvailable\":null,\"publicExploit\":false,\"exploitVerified\":false,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"cveSupportability\":\"NotSupported\",\"tags\":[],\"epss\":0.00029}", + "type": [ + "info" + ] + }, + "message": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "cve_supportability": "NotSupported", + "cvss_v3": 6.4, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C", + "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "epss": 2.9E-4, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 0, + "id": "CVE-2025-47828", + "impact": "Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website.", + "name": "CVE-2025-47828", + "public_exploit": false, + "published_on": "2025-05-11T00:00:00.000Z", + "remediation": "Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05.", + "severity": "Medium", + "updated_on": "2025-05-12T20:50:07.000Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "fixed_version": "2024-04-05" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-47828", + "published_date": "2025-05-11T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-47828", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.4 + }, + "severity": "Medium", + "title": "The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs." + } + }, + { + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_--2025-05-27T10:43:44.995427309Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":\"d78dc223-8dc8-4210-9700-019b3b03505b\",\"agentVersion\":\"10.8792.19045.5737\",\"computerDnsName\":\"c-lab-08\",\"cveId\":\"TVM-2020-0002\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2024-11-05T11:54:59.5717001Z\",\"fixingKbId\":null,\"healthStatus\":\"Active\",\"id\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"00505683B880\",\"operationalStatus\":\"Up\",\"type\":\"Ethernet\"}],\"isAadJoined\":true,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"67.43.156.0\",\"lastIpAddress\":\"89.160.20.128\",\"lastSeen\":\"2025-04-22T05:48:04.7550736Z\",\"machineId\":\"0e23b8b23f6dc0e9d84846f877b45d19c04a522d\",\"machineTags\":[\"test tag 1\"],\"managedBy\":\"Intune\",\"managedByStatus\":\"Unknown\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":19045,\"osPlatform\":\"Windows10\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"tools\",\"productVendor\":\"vmware\",\"productVersion\":\"12.0.6.0\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"High\",\"version\":\"22H2\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":7,\"cvssVector\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C\",\"description\":\"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00053,\"exploitInKit\":false,\"exploitTypes\":[\"PrivilegeEscalation\"],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":12,\"firstDetected\":\"2025-01-01T08:22:58Z\",\"id\":\"TVM-2020-0002\",\"name\":\"TVM-2020-0002\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2022-08-23T00:00:00Z\",\"severity\":\"High\",\"tags\":[],\"updatedOn\":\"2024-12-10T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "hostname": "c-lab-08", + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "ip": [ + "67.43.156.0" + ], + "name": "c-lab-08", + "os": { + "name": "Windows10 22H2", + "platform": "Windows10", + "type": "windows", + "version": "22H2" + }, + "risk": { + "calculated_level": "None" + } + }, + "message": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "affected_machine": { + "aad_device_id": "d78dc223-8dc8-4210-9700-019b3b03505b", + "agent_version": "10.8792.19045.5737", + "computer_dns_name": "c-lab-08", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2024-11-05T11:54:59.571Z", + "health_status": "Active", + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-50-56-83-B8-80", + "operational_status": "Up", + "type": "Ethernet" + } + ], + "is_aad_joined": true, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "67.43.156.0", + "last_ip_address": "89.160.20.128", + "last_seen": "2025-04-22T05:48:04.755Z", + "machine_id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "machine_tags": [ + "test tag 1" + ], + "managed_by": "Intune", + "managed_by_status": "Unknown", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 19045, + "os_platform": "Windows10", + "os_processor": "x64", + "product_name": "tools", + "product_vendor": "vmware", + "product_version": "12.0.6.0", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "High", + "version": "22H2" + }, + "cve_supportability": "Supported", + "cvss_v3": 7.0, + "cvss_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 5.3E-4, + "exploit_in_kit": false, + "exploit_types": [ + "PrivilegeEscalation" + ], + "exploit_verified": false, + "exposed_machines": 12, + "first_detected": "2025-01-01T08:22:58.000Z", + "id": "TVM-2020-0002", + "impact": "If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine.", + "name": "TVM-2020-0002", + "public_exploit": false, + "published_on": "2022-08-23T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "High", + "updated_on": "2024-12-10T00:00:00.000Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "tools", + "version": "12.0.6.0" + }, + "related": { + "hosts": [ + "d78dc223-8dc8-4210-9700-019b3b03505b", + "c-lab-08", + "0e23b8b23f6dc0e9d84846f877b45d19c04a522d" + ], + "ip": [ + "216.160.83.56", + "67.43.156.0", + "89.160.20.128" + ] + }, + "resource": { + "id": "0e23b8b23f6dc0e9d84846f877b45d19c04a522d", + "name": "c-lab-08" + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "TVM", + "id": "TVM-2020-0002", + "published_date": "2022-08-23T00:00:00.000Z", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 7.0 + }, + "severity": "High", + "title": "VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine." + } + } + ] +} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..d1612acef23 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: microsoft-defender-endpoint-vulnerability-cel +vars: + url: http://{{Hostname}}:{{Port}} + login_url: http://{{Hostname}}:{{Port}} + client_id: test-app-id + client_secret: test-secret + tenant_id: tenant_id +data_stream: + vars: + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 5 diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..2ebe890369e --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/agent/stream/cel.yml.hbs @@ -0,0 +1,253 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + provider: azure + client.id: {{client_id}} + client.secret: {{client_secret}} + scopes: +{{#each token_scopes as |token_scope|}} + - {{token_scope}} +{{/each}} +{{#if login_url}} + token_url: {{login_url}}/{{tenant_id}}/oauth2/v2.0/token +{{else if tenant_id}} + azure.tenant_id: {{tenant_id}} +{{/if}} + +state: + product_batch_size: 10000 + product_skip: 0 + batch_size: {{batch_size}} + skip: 0 + machine_batch_size: 10000 + machine_skip: 0 + affected_machines_only: {{affected_machines_only}} +redact: + fields: ~ +program: | + ( + state.?is_all_products_fetched.orValue(false) ? + { + "products": state.products, + "product_batch_size": state.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": state.is_all_products_fetched, + ?"machines": state.?machines, + "machine_batch_size": state.machine_batch_size, + "machine_skip": state.machine_skip, + ?"is_all_machines_fetched": state.?is_all_machines_fetched, + ?"vulnerabilities": state.?vulnerabilities, + "batch_size": state.batch_size, + "skip": state.skip, + ?"is_all_vulnerabilities_fetched": state.?is_all_vulnerabilities_fetched, + "affected_machines_only": state.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities?" + { + "$top": [string(state.product_batch_size)], + "$skip": [string(state.product_skip)], + }.format_query()).do_request().as(productResp, productResp.StatusCode == 200 ? + ( + productResp.Body.decode_json().as(productBody, { + "events": [{"message":"retry"}], + "products": (state.?products.orValue([]) + productBody.value).flatten(), + "product_batch_size": state.product_batch_size, + "product_skip": size(productBody.value) > 0 ? int(state.product_skip) + int(state.product_batch_size) : 0, + "is_all_products_fetched": size(productBody.value) < int(state.product_batch_size), + "want_more": true, + "machine_batch_size": state.machine_batch_size, + "machine_skip": state.machine_skip, + "batch_size": state.batch_size, + "skip": state.skip, + "affected_machines_only": state.affected_machines_only, + }) + ) + : + { + "events": { + "error": { + "code": string(productResp.StatusCode), + "id": string(productResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities/machinesVulnerabilities" + + ( + size(productResp.Body) != 0 ? + string(productResp.Body) + : + string(productResp.Status) + ' (' + string(productResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ).as(products, !products.?is_all_products_fetched.orValue(false) ? products : ( + products.?is_all_machines_fetched.orValue(false) ? + { + "products": products.products, + "product_batch_size": products.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": products.is_all_products_fetched, + "machines": products.machines, + "machine_batch_size": products.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products.is_all_machines_fetched, + ?"vulnerabilities": products.?vulnerabilities, + "batch_size": products.batch_size, + "skip": products.skip, + ?"is_all_vulnerabilities_fetched": products.?is_all_vulnerabilities_fetched, + "affected_machines_only": products.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/machines?" + { + "$top": [string(products.machine_batch_size)], + "$skip": [string(products.machine_skip)], + }.format_query()).do_request().as(machineResp, machineResp.StatusCode == 200 ? + machineResp.Body.decode_json().as(machineBody, { + "events": [{"message":"retry"}], + "machines": (products.?machines.orValue([]) + machineBody.value).flatten(), + "machine_batch_size": products.machine_batch_size, + "machine_skip": size(machineBody.value) > 0 ? int(products.machine_skip) + int(products.machine_batch_size) : 0, + "is_all_machines_fetched": size(machineBody.value) < int(products.machine_batch_size), + "want_more": true, + "products": products.products, + "product_batch_size": products.product_batch_size, + "product_skip" : 0, + "is_all_products_fetched": products.is_all_products_fetched, + "batch_size": products.batch_size, + "skip": products.skip, + "affected_machines_only": products.affected_machines_only, + }) + : + { + "events": { + "error": { + "code": string(machineResp.StatusCode), + "id": string(machineResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/machines" + + ( + size(machineResp.Body) != 0 ? + string(machineResp.Body) + : + string(machineResp.Status) + ' (' + string(machineResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )).as(products_with_machines, !products_with_machines.?is_all_machines_fetched.orValue(false) ? products_with_machines : ( + products_with_machines.?is_all_vulnerability_fetched.orValue(false) ? + { + "products": products_with_machines.products, + "product_batch_size": products_with_machines.product_batch_size, + "product_skip": 0, + "is_all_products_fetched": products_with_machines.is_all_products_fetched, + "machines": products_with_machines.machines, + "machine_batch_size": products_with_machines.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products_with_machines.is_all_machines_fetched, + "vulnerabilities": products_with_machines.vulnerabilities, + "batch_size": products_with_machines.batch_size, + "skip": 0, + "is_all_vulnerability_fetched": products_with_machines.is_all_vulnerability_fetched, + "affected_machines_only": products_with_machines.affected_machines_only, + } + : + request("GET", state.url.trim_right("/") + "/api/vulnerabilities?" + { + "$top": [string(products_with_machines.batch_size)], + "$skip": [string(products_with_machines.skip)], + }.format_query()).do_request().as(vulnerabilityResp, vulnerabilityResp.StatusCode == 200 ? + vulnerabilityResp.Body.decode_json().as(vulnerabilityBody, { + "events": [{"message":"retry"}], + "vulnerabilities": (products_with_machines.?vulnerabilities.orValue([]) + vulnerabilityBody.value).flatten(), + "batch_size": state.batch_size, + "skip":size(vulnerabilityBody.value) > 0 ? int(products_with_machines.skip) + int(products_with_machines.batch_size) : 0, + "is_all_vulnerabilities_fetched": size(vulnerabilityBody.value) < int(products_with_machines.batch_size), + "want_more": true, + "products": products_with_machines.products, + "product_batch_size": products_with_machines.product_batch_size, + "product_skip" : 0, + "is_all_products_fetched": products_with_machines.is_all_products_fetched, + "machines": products_with_machines.machines, + "machine_batch_size": products_with_machines.machine_batch_size, + "machine_skip": 0, + "is_all_machines_fetched": products_with_machines.is_all_machines_fetched, + "affected_machines_only": products_with_machines.affected_machines_only, + }) + : + { + "events": { + "error": { + "code": string(vulnerabilityResp.StatusCode), + "id": string(vulnerabilityResp.Status), + "message": "GET " + state.url.trim_right("/") + "/api/vulnerabilities" + + ( + size(vulnerabilityResp.Body) != 0 ? + string(vulnerabilityResp.Body) + : + string(vulnerabilityResp.Status) + ' (' + string(vulnerabilityResp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )).as(all_data, !all_data.?is_all_vulnerabilities_fetched.orValue(false) ? all_data : ( + ( + all_data.products.map(p, (all_data.machines.filter(m, m.id == p.machineId)[0]).with(p)) + ).as(mapped_products, { + "vulnerability_with_machines": all_data.vulnerabilities.filter(v, v.exposedMachines > 0), + "vulnerability_without_machines": !all_data.affected_machines_only ? + all_data.vulnerabilities.filter(v, v.exposedMachines == 0) + : + [], + "mapped_products": mapped_products, + }).as(final_data, { + "events": (final_data.vulnerability_with_machines.map(v, + final_data.mapped_products.filter(mp, mp.cveId == v.id).map(related_mapped_products, + {"message": v.with({"affectedMachine": related_mapped_products}).encode_json()} + )).flatten() + final_data.vulnerability_without_machines.map(v, { + "message": v.with({"affectedMachine": null}).encode_json(), + }) + ).flatten(), + "product_batch_size": all_data.product_batch_size, + "product_skip" : 0, + "machine_batch_size": all_data.machine_batch_size, + "machine_skip": 0, + "batch_size": all_data.batch_size, + "skip": 0, + "affected_machines_only": all_data.affected_machines_only, + "want_more": false, + }) + )) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ilm/default_policy.json b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..6fbc1040483 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "7d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "7d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..9fa9dc59beb --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,804 @@ +--- +description: Pipeline for processing Vulnerability logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - drop: + if: ctx.message == 'retry' + tag: drop_retry_events + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_event_kind_to_event + value: event + - append: + field: event.type + tag: append_event_type + value: info + - append: + field: event.category + tag: append_event_category + value: vulnerability + - set: + field: observer.product + tag: set_observer_product + value: "Microsoft 365 Defender" + - set: + field: observer.vendor + tag : set_observer_vendor + value: "Microsoft" + - rename: + field: json.affectedMachine.aadDeviceId + tag: rename_affectedMachine_aadDeviceId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id + ignore_missing: true + - append: + field: related.hosts + tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_aad_device_id_into_related_hosts + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.aad_device_id != null + - rename: + field: json.affectedMachine.agentVersion + tag: rename_affectedMachine_agentVersion + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.agent_version + ignore_missing: true + - rename: + field: json.affectedMachine.computerDnsName + tag: rename_affectedMachine_computerDnsName + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - set: + field: host.name + tag: set_host_hostname_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - set: + field: resource.name + tag: set_resource_name_from_microsoft_defender_endpoint_vulnerability_affected_machine_computer_dns_name + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_microsoft_defender_endpoint_vulnerability_computer_dns_name_into_related_hosts + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.computer_dns_name != null + - rename: + field: json.affectedMachine.deviceValue + tag: rename_affectedMachine_deviceValue + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.device_value + ignore_missing: true + - rename: + field: json.affectedMachine.exclusionReason + tag: rename_affectedMachine_exclusionReason + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.exclusion_reason + ignore_missing: true + - rename: + field: json.affectedMachine.exposureLevel + tag: rename_affectedMachine_exposureLevel + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level + ignore_missing: true + - date: + field: json.affectedMachine.firstSeen + tag: date_affectedMachine_firstSeen + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.first_seen + formats: + - strict_date_optional_time_nanos + if: ctx.json?.affectedMachine?.firstSeen != null && ctx.json.affectedMachine.firstSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.fixingKbId + tag: rename_affectedMachine_fixingKbId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.fixing_kb_id + ignore_missing: true + - rename: + field: json.affectedMachine.healthStatus + tag: rename_affectedMachine_healthStatus + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.health_status + ignore_missing: true + - rename: + field: json.affectedMachine.id + tag: rename_affectedMachine_id + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_id + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.id}}}-{{{_ingest.timestamp}}}' + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.id != null + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + convert: + field: _ingest._value.ipAddress + tag: convert_affectedMachine_ipAddresses_ipAddress_to_ip + target_field: _ingest._value.ip_address + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + append: + field: related.ip + tag: append_affectedMachine_ipAddresses_ip_address_into_related_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + uppercase: + field: _ingest._value.macAddress + tag: uppercase_affectedMachine_ipAddresses_macAddress + target_field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + gsub: + field: _ingest._value.mac_address + pattern: '(..)(?!$)' + replacement: '$1-' + tag: gsub_affectedMachine_ipAddresses_mac_address + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + rename: + field: _ingest._value.operationalStatus + tag: rename_affectedMachine_ipAddresses_operationalStatus + target_field: _ingest._value.operational_status + ignore_missing: true + - foreach: + field: json.affectedMachine.ipAddresses + if: ctx.json?.affectedMachine?.ipAddresses instanceof List + processor: + remove: + field: + - _ingest._value.ipAddress + - _ingest._value.macAddress + tag: remove_ipAddresses + ignore_missing: true + - rename: + field: json.affectedMachine.ipAddresses + tag: rename_affectedMachine_ipAddresses + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses + ignore_missing: true + - convert: + field: json.affectedMachine.isAadJoined + tag: convert_affectedMachine_isAadJoined_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_aad_joined + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.isExcluded + tag: convert_affectedMachine_isExcluded_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_excluded + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.isPotentialDuplication + tag: convert_affectedMachine_isPotentialDuplication_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.affectedMachine.lastExternalIpAddress + tag: convert_affectedMachine_lastExternalIpAddress_to_ip + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address + type: ip + ignore_missing: true + if: ctx.json?.affectedMachine?.lastExternalIpAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.ip + tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_external_ip_address_into_host_ip + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_external_ip_address != null + - append: + field: related.ip + tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_external_ip_address_into_related_ip + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_external_ip_address != null + - geoip: + field: host.ip + target_field: host.geo + tag: geoip_host_geo + ignore_missing: true + - convert: + field: json.affectedMachine.lastIpAddress + tag: convert_affectedMachine_lastIpAddress_to_ip + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address + type: ip + ignore_missing: true + if: ctx.json?.affectedMachine?.lastIpAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_microsoft_defender_endpoint_vulnerability_affected_machine_last_ip_address_into_related_ip + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.last_ip_address != null + - date: + field: json.affectedMachine.lastSeen + tag: date_affectedMachine_lastSeen + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.last_seen + formats: + - strict_date_optional_time_nanos + if: ctx.json?.affectedMachine?.lastSeen != null && ctx.json.affectedMachine.lastSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.machineId + tag: rename_affectedMachine_machineId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + ignore_empty_value: true + - append: + field: related.hosts + tag: append_related_hosts_from_microsoft_defender_endpoint_vulnerability_affected_machine_machine_id + value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.machine_id}}}' + allow_duplicates: false + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.machine_id != null + - rename: + field: json.affectedMachine.machineTags + tag: rename_affectedMachine_machineTags + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.machine_tags + ignore_missing: true + - rename: + field: json.affectedMachine.managedBy + tag: rename_affectedMachine_managedBy + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.managed_by + ignore_missing: true + - rename: + field: json.affectedMachine.managedByStatus + tag: rename_affectedMachine_managedByStatus + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.managed_by_status + ignore_missing: true + - convert: + field: json.affectedMachine.mergedIntoMachineId + tag: convert_affectedMachine_mergedIntoMachineId_to_string + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.merged_into_machine_id + type: string + ignore_missing: true + - rename: + field: json.affectedMachine.onboardingStatus + tag: rename_affectedMachine_onboardingStatus + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.onboarding_status + ignore_missing: true + - rename: + field: json.affectedMachine.osArchitecture + tag: rename_affectedMachine_osArchitecture + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_architecture + ignore_missing: true + - convert: + field: json.affectedMachine.osBuild + tag: convert_affectedMachine_osBuild_to_long + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_build + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.affectedMachine.osPlatform + tag: rename_affectedMachine_osPlatform + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_platform + ignore_missing: true + - set: + field: host.os.platform + tag: set_host_os_platform_from_microsoft_defender_endpoint_vulnerability_affected_machine_os_platform + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.os_platform + ignore_empty_value: true + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.os_platform != null + params: + os_type: + - linux + - macos + - unix + - windows + - ios + - android + source: | + String os_platform = ctx.microsoft_defender_endpoint.vulnerability.affected_machine.os_platform.toLowerCase(); + for (String os: params.os_type) { + if (os_platform.contains(os)) { + ctx.host.os.put('type', os); + return; + } + } + if (os_platform.contains('centos') || os_platform.contains('ubuntu')) { + ctx.host.os.put('type', 'linux'); + } + - rename: + field: json.affectedMachine.osProcessor + tag: rename_affectedMachine_osProcessor + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_processor + ignore_missing: true + - set: + field: host.architecture + tag: set_host_architecture_from_vulnerability_affected_machine_os_processor + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.os_processor + ignore_empty_value: true + - convert: + field: json.affectedMachine.osVersion + tag: convert_affectedMachine_osVersion_to_string + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.os_version + type: string + ignore_missing: true + - rename: + field: json.affectedMachine.productName + tag: rename_affectedMachine_productName + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_name + ignore_missing: true + - set: + field: package.name + tag: set_package_version_from_vulnerability_affected_machine_product_name + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.product_name + ignore_empty_value: true + - rename: + field: json.affectedMachine.productVendor + tag: rename_affectedMachine_productVendor + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_vendor + ignore_missing: true + - rename: + field: json.affectedMachine.productVersion + tag: rename_affectedMachine_productVersion + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.product_version + ignore_missing: true + - set: + field: package.version + tag: set_package_version_from_vulnerability_affected_machine_product_version + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.product_version + ignore_empty_value: true + - convert: + field: json.affectedMachine.rbacGroupId + tag: convert_affectedMachine_rbacgroup_id_to_string + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: group.id + tag: set_group_id_from_vulnerability_affected_machine_rbac_group_id + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id + ignore_empty_value: true + - rename: + field: json.affectedMachine.rbacGroupName + tag: rename_affectedMachine_rbacGroupName + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name + ignore_missing: true + - set: + field: group.name + tag: set_group_name_from_vulnerability_affected_machine_rbac_group_name + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name + ignore_empty_value: true + - rename: + field: json.affectedMachine.riskScore + tag: rename_riskScore + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.risk_score + ignore_missing: true + - set: + field: host.risk.calculated_level + tag: set_host_risk_calculated_level_from_vulnerability_affected_machine_risk_score + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.risk_score + ignore_empty_value: true + - rename: + field: json.affectedMachine.severity + tag: rename_affectedMachine_severity + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.severity + ignore_missing: true + - rename: + field: json.affectedMachine.version + tag: rename_affectedMachine_version + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.version + ignore_missing: true + - set: + field: host.os.version + tag: set_host_os_version_from_vulnerability_affected_machine_version + copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.version + ignore_empty_value: true + - set: + field: host.os.name + value: '{{{host.os.platform}}} {{{host.os.version}}}' + ignore_failure: true + if: ctx.host?.os?.platform != null && ctx.host?.os?.version != null + - rename: + field: json.affectedMachine.vmMetadata.cloudProvider + tag: rename_affectedMachine_vmMetadata_cloudProvider + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.cloud_provider + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.resourceId + tag: rename_affectedMachine_vmMetadata_resourceId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.resource_id + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.subscriptionId + tag: rename_affectedMachine_vmMetadata_subscriptionId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.subscription_id + ignore_missing: true + - rename: + field: json.affectedMachine.vmMetadata.vmId + tag: rename_affectedMachine_vmMetadata_vmId + target_field: microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.vm_id + ignore_missing: true + - rename: + field: json.cveSupportability + tag: rename_cveSupportability + target_field: microsoft_defender_endpoint.vulnerability.cve_supportability + ignore_missing: true + - convert: + field: json.cvssV3 + tag: convert_cvssV3_to_double + target_field: microsoft_defender_endpoint.vulnerability.cvss_v3 + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.score.base + tag: set_vulnerability_score_base_from_vulnerability_cvss_v3 + copy_from: microsoft_defender_endpoint.vulnerability.cvss_v3 + ignore_empty_value: true + - set: + field: vulnerability.classification + tag: set_vulnerability_classification_from_vulnerability_cvss_v3 + value: CVSS + if: ctx.microsoft_defender_endpoint?.vulnerability?.cvss_v3 != null + ignore_empty_value: true + - set: + field: vulnerability.scanner.vendor + tag: set_vulnerability_scanner_vendor + value: Microsoft + - rename: + field: json.cvssVector + tag: rename_cvssVector + target_field: microsoft_defender_endpoint.vulnerability.cvss_vector + ignore_missing: true + - rename: + field: json.description + tag: rename_description + target_field: microsoft_defender_endpoint.vulnerability.description + ignore_missing: true + - set: + field: vulnerability.description + tag: set_vulnerability_description_from_vulnerability_description + copy_from: microsoft_defender_endpoint.vulnerability.description + ignore_empty_value: true + - set: + field: message + tag: set_message_from_vulnerability_description + copy_from: microsoft_defender_endpoint.vulnerability.description + ignore_empty_value: true + - grok: + field: message + tag: grok_message_to_extract_vulnerability_title_impact_remediation_and_fixed_version + patterns: + # remediation version is present + - 'Summary: %{DATA:vulnerability.title} Impact: %{DATA:microsoft_defender_endpoint.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}(?\d+(?:[.-]\d+)+)%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' + # remediation version is not present + - 'Summary: %{DATA:vulnerability.title} Impact: %{DATA:microsoft_defender_endpoint.vulnerability.impact}(?: AdditionalInformation:%{GREEDYDATA})? Remediation: (?%{DATA}%{GREEDYDATA}\.)(?=(?:[^\.]*\[|$))' + ignore_failure: true + - convert: + field: json.epss + tag: convert_epss_to_double + target_field: microsoft_defender_endpoint.vulnerability.epss + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exploitInKit + tag: convert_exploitInKit_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.exploit_in_kit + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.exploitTypes + tag: rename_exploitTypes + target_field: microsoft_defender_endpoint.vulnerability.exploit_types + ignore_missing: true + - rename: + field: json.exploitUris + tag: rename_exploitUris + target_field: microsoft_defender_endpoint.vulnerability.exploit_uris + ignore_missing: true + - convert: + field: json.exploitVerified + tag: convert_exploitVerified_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.exploit_verified + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.exposedMachines + tag: convert_exposedMachines_to_long + target_field: microsoft_defender_endpoint.vulnerability.exposed_machines + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.firstDetected + tag: date_firstDetected + target_field: microsoft_defender_endpoint.vulnerability.first_detected + formats: + - ISO8601 + if: ctx.json?.firstDetected != null && ctx.json.firstDetected != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.id + tag: rename_id + target_field: microsoft_defender_endpoint.vulnerability.id + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id_from_vulnerability_id + copy_from: microsoft_defender_endpoint.vulnerability.id + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id_from_vulnerability_id + value: '{{{vulnerability.id}}}-{{{_ingest.timestamp}}}' + if: ctx.event?.id == null && ctx.vulnerability?.id != null + - set: + field: vulnerability.reference + tag: set_vulnerability_reference_from_vulnerability_id + value: https://www.cve.org/CVERecord?id={{{vulnerability.id}}} + if: ctx.vulnerability?.id != null && ctx.vulnerability.id.contains('CVE') + - script: + description: Dynamically set cve.enumeration values. + tag: script_map_vulnerability_id + lang: painless + if: ctx.vulnerability?.id != null + params: + vulnerability_enumeration: + - CVE + - TVM + source: | + String vulnerability_id = ctx.microsoft_defender_endpoint.vulnerability.id.toUpperCase(); + for (String enum: params.vulnerability_enumeration) { + if (vulnerability_id.contains(enum)) { + ctx.vulnerability.put('enumeration', enum); + return; + } + } + - rename: + field: json.name + tag: rename_name + target_field: microsoft_defender_endpoint.vulnerability.name + ignore_missing: true + - date: + field: json.patchFirstAvailable + tag: date_patchFirstAvailable + target_field: microsoft_defender_endpoint.vulnerability.patch_first_available + formats: + - ISO8601 + if: ctx.json?.patchFirstAvailable != null && ctx.json.patchFirstAvailable != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.publicExploit + tag: convert_publicExploit_to_boolean + target_field: microsoft_defender_endpoint.vulnerability.public_exploit + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.publishedOn + tag: date_publishedOn + target_field: microsoft_defender_endpoint.vulnerability.published_on + formats: + - ISO8601 + if: ctx.json?.publishedOn != null && ctx.json.publishedOn != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: vulnerability.published_date + tag: set_vulnerability_published_date_from_vulnerability_published_on + copy_from: microsoft_defender_endpoint.vulnerability.published_on + ignore_empty_value: true + - rename: + field: json.severity + tag: rename_severity + target_field: microsoft_defender_endpoint.vulnerability.severity + ignore_missing: true + - set: + field: vulnerability.severity + tag: set_vulnerability_severity_from_vulnerability_severity + copy_from: microsoft_defender_endpoint.vulnerability.severity + ignore_empty_value: true + - rename: + field: json.tags + tag: rename_tags + target_field: microsoft_defender_endpoint.vulnerability.tags + ignore_missing: true + - date: + field: json.updatedOn + tag: date_updatedOn + target_field: microsoft_defender_endpoint.vulnerability.updated_on + formats: + - ISO8601 + if: ctx.json?.updatedOn != null && ctx.json.updatedOn != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: + - microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name + - microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address + - microsoft_defender_endpoint.vulnerability.affected_machine.machine_id + - microsoft_defender_endpoint.vulnerability.affected_machine.os_platform + - microsoft_defender_endpoint.vulnerability.affected_machine.os_processor + - microsoft_defender_endpoint.vulnerability.affected_machine.product_name + - microsoft_defender_endpoint.vulnerability.affected_machine.product_version + - microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id + - microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name + - microsoft_defender_endpoint.vulnerability.affected_machine.risk_score + - microsoft_defender_endpoint.vulnerability.affected_machine.version + - microsoft_defender_endpoint.vulnerability.cvss_v3 + - microsoft_defender_endpoint.vulnerability.description + - microsoft_defender_endpoint.vulnerability.id + - microsoft_defender_endpoint.vulnerability.severity + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/base-fields.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/base-fields.yml new file mode 100644 index 00000000000..c2e652ee4ce --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: microsoft_defender_endpoint +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: microsoft_defender_endpoint.vulnerability +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/beats.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml new file mode 100644 index 00000000000..2b45ce3d96f --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/fields.yml @@ -0,0 +1,179 @@ +- name: microsoft_defender_endpoint + type: group + fields: + - name: vulnerability + type: group + fields: + - name: affected_machine + type: group + fields: + - name: aad_device_id + type: keyword + description: Microsoft Entra Device ID (when machine is Microsoft Entra joined). + - name: agent_version + type: keyword + - name: computer_dns_name + type: keyword + description: Machine fully qualified name. + - name: device_value + type: keyword + description: 'The value of the device. Possible values are: Normal, Low, and High.' + - name: exclusion_reason + type: keyword + - name: exposure_level + type: keyword + description: 'Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High.' + - name: first_seen + type: date + description: First date and time where the machine was observed by Microsoft Defender for Endpoint. + - name: fixing_kb_id + type: keyword + - name: health_status + type: keyword + description: 'machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown.' + - name: id + type: keyword + - name: ip_addresses + type: group + fields: + - name: ip_address + type: ip + - name: mac_address + type: keyword + - name: operational_status + type: keyword + - name: type + type: keyword + - name: is_aad_joined + type: boolean + - name: is_excluded + type: boolean + - name: is_potential_duplication + type: boolean + - name: last_external_ip_address + type: ip + description: Last IP through which the machine accessed the internet. + - name: last_ip_address + type: ip + description: Last IP on local NIC on the machine. + - name: last_seen + type: date + description: 'Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn''t correspond to the last seen value in the UI. It pertains to the last device update.' + - name: machine_id + type: keyword + description: Machine identity. + - name: machine_tags + type: keyword + description: Set of machine tags. + - name: managed_by + type: keyword + - name: managed_by_status + type: keyword + - name: merged_into_machine_id + type: keyword + - name: onboarding_status + type: keyword + description: 'Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo.' + - name: os_architecture + type: keyword + description: 'Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor.' + - name: os_build + type: long + description: Operating system build number. + - name: os_platform + type: keyword + description: Operating system platform. + - name: os_processor + type: keyword + description: Operating system processor. Use osArchitecture property instead. + - name: os_version + type: keyword + - name: product_name + type: keyword + - name: product_vendor + type: keyword + - name: product_version + type: keyword + - name: rbac_group_id + type: keyword + description: Machine group ID. + - name: rbac_group_name + type: keyword + description: Machine group Name. + - name: risk_score + type: keyword + description: 'Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High.' + - name: severity + type: keyword + - name: version + type: keyword + description: Operating system version. + - name: vmMetadata + type: group + fields: + - name: cloud_provider + type: keyword + - name: resource_id + type: keyword + - name: subscription_id + type: keyword + - name: vm_id + type: keyword + - name: cve_supportability + type: keyword + description: 'Possible values are: Supported, Not Supported, or SupportedInPremium.' + - name: cvss_v3 + type: double + description: CVSS v3 score. + - name: cvss_vector + type: keyword + description: A compressed textual representation that reflects the values used to derive the score. + - name: description + type: keyword + description: Vulnerability description. + - name: epss + type: double + description: Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. + - name: exploit_in_kit + type: boolean + description: Exploit is part of an exploit kit. + - name: exploit_types + type: keyword + description: 'Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local.' + - name: exploit_uris + type: keyword + description: Exploit source URLs. + - name: exploit_verified + type: boolean + description: Exploit is verified to work. + - name: exposed_machines + type: long + description: Number of exposed devices. + - name: first_detected + type: date + - name: id + type: keyword + description: Vulnerability ID. + - name: impact + type: keyword + - name: name + type: keyword + description: Vulnerability title. + - name: patch_first_available + type: date + - name: public_exploit + type: boolean + description: Public exploit exists. + - name: published_on + type: date + description: Date when vulnerability was published. + - name: remediation + type: keyword + - name: severity + type: keyword + description: 'Vulnerability Severity. Possible values are: Low, Medium, High, or Critical.' + - name: tags + type: keyword + - name: updated_on + type: date + description: Date when vulnerability was updated. diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/package.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/package.yml new file mode 100644 index 00000000000..1c2032e9777 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/package.yml @@ -0,0 +1,11 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + - name: name + type: keyword + external: ecs + - name: version + type: keyword + external: ecs \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/resource.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/resource.yml new file mode 100644 index 00000000000..2a1cc8f3611 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/vulnerability.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/vulnerability.yml new file mode 100644 index 00000000000..f77e5febef1 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/vulnerability.yml @@ -0,0 +1,7 @@ +- name: vulnerability + type: group + fields: + - name: published_date + type: date + - name: title + type: keyword \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/lifecycle.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/lifecycle.yml new file mode 100644 index 00000000000..3fe3776ec1f --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "7d" diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml b/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml new file mode 100644 index 00000000000..56395d5f281 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/manifest.yml @@ -0,0 +1,84 @@ +title: Collect Microsoft Defender for Endpoint vulnerability and affected machine logs from API +type: logs +ilm_policy: logs-microsoft_defender_endpoint.vulnerability-default_policy +streams: + - input: cel + title: Microsoft Defender Endpoint Vulnerabilities + description: Collect Microsoft Defender for Endpoint vulnerability and affected machine logs from API. + enabled: false + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the Microsoft Defender Endpoint Vulnerability API. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 4h + - name: batch_size + type: integer + title: Batch Size + description: Specifies how many records to return in a single request of the Microsoft Defender Endpoint Vulnerability API. + multi: false + required: true + show_user: false + default: 8000 + - name: affected_machines_only + type: bool + title: Collect vulnerabilities from affected machines only + description: Collect only vulnerabilities that have at least one affected machine. Vulnerabilities without any affected machines will not be ingested. + show_user: true + required: false + default: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + multi: false + default: false + required: false + show_user: false + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field event.original. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forwarded + - microsoft_defender_endpoint-vulnerability + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve microsoft_defender_endpoint.vulnerability.* fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. + \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json b/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json new file mode 100644 index 00000000000..87906405ac4 --- /dev/null +++ b/packages/microsoft_defender_endpoint/data_stream/vulnerability/sample_event.json @@ -0,0 +1,172 @@ +{ + "@timestamp": "2025-05-27T10:44:32.171Z", + "agent": { + "ephemeral_id": "c05fba64-b162-439c-bbab-497080970957", + "id": "18e5121d-7626-44f8-80d5-f01c9785dfa3", + "name": "elastic-agent-40132", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "microsoft_defender_endpoint.vulnerability", + "namespace": "38546", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "18e5121d-7626-44f8-80d5-f01c9785dfa3", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "microsoft_defender_endpoint.vulnerability", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_--2025-05-27T10:44:33.192017651Z", + "ingested": "2025-05-27T10:44:33Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "id": "94819846155826828d1603b913c67fe336d81295", + "ip": [ + "1.128.0.0" + ], + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "os": { + "name": "Ubuntu 20.4", + "platform": "Ubuntu", + "type": "linux", + "version": "20.4" + }, + "risk": { + "calculated_level": "None" + } + }, + "input": { + "type": "cel" + }, + "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124092.2.0", + "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2025-01-08T13:05:05.348Z", + "health_status": "Inactive", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-0C-29-10-F1-DA", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "1.128.0.0", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-01-08T13:15:03.694Z", + "machine_id": "94819846155826828d1603b913c67fe336d81295", + "machine_tags": [ + "test tag" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 6, + "os_platform": "Ubuntu", + "os_processor": "x64", + "product_name": "edge_chromium-based", + "product_vendor": "microsoft", + "product_version": "134.0.3124.72", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "Medium", + "version": "20.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 0.00111, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-04-01T19:52:39.000Z", + "id": "CVE-2025-3074", + "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", + "name": "CVE-2025-3074", + "public_exploit": false, + "published_on": "2025-04-01T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "Medium", + "tags": [ + "test" + ], + "updated_on": "2025-04-08T00:00:00.000Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "edge_chromium-based", + "version": "134.0.3124.72" + }, + "related": { + "hosts": [ + "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "94819846155826828d1603b913c67fe336d81295" + ], + "ip": [ + "216.160.83.56", + "1.128.0.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "94819846155826828d1603b913c67fe336d81295", + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "microsoft_defender_endpoint-vulnerability" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-3074", + "published_date": "2025-04-01T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.5 + }, + "severity": "Medium", + "title": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website." + } +} diff --git a/packages/microsoft_defender_endpoint/docs/README.md b/packages/microsoft_defender_endpoint/docs/README.md index ea218508315..2f981e2e23f 100644 --- a/packages/microsoft_defender_endpoint/docs/README.md +++ b/packages/microsoft_defender_endpoint/docs/README.md @@ -2,7 +2,7 @@ This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs. -Microsoft Defender for Endpoint integration collects data for Alert, Machine, and Machine Action logs using REST API. +Microsoft Defender for Endpoint integration collects data for Alert, Machine, Machine Action, and Vulnerability logs using REST API. ## Data streams @@ -11,6 +11,8 @@ This integration collects the following logs: - **[Alert](https://learn.microsoft.com/en-us/defender-endpoint/api/get-alerts?view=o365-worldwide)** - Retrieves alerts generated by Microsoft Defender for Endpoint. - **[Machine](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines?view=o365-worldwide)** - Retrieves machines that have communicated with Microsoft Defender for Endpoint. - **[Machine Action](https://learn.microsoft.com/en-us/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide)** - Retrieves logs of actions carried out on machines. +- **[Vulnerability](https://learn.microsoft.com/en-us/defender-endpoint/api/vulnerability?view=o365-worldwide)** - Retrieves logs of Vulnerability. + ## Requirements @@ -36,6 +38,7 @@ When the application is granted the API permissions listed in the table below, i | Alert | Alert.Read.All | | Machine | Machine.Read.All | | Machine Action | Machine.Read.All | +| Vulnerability | Vulnerability.Read.All, Machine.Read.All | After the application has been created, it should contain 3 values that you need to apply to the module configuration. @@ -53,6 +56,11 @@ These values are: 4. Add all the required integration configuration parameters, including the Client ID, Client Secret, Tenant ID to enable data collection. 5. Select "Save and continue" to save the integration. +### Data Retention and ILM Configuration (For Vulnerability Data Stream) +A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we’ve set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control. + +> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index` + ## ECS mappings | Defender for Endpoint fields | ECS Fields | @@ -561,3 +569,270 @@ An example event for `machine_action` looks as following: | microsoft_defender_endpoint.machine_action.title | Machine action title. | keyword | | microsoft_defender_endpoint.machine_action.type | Type of the action. Possible values are: RunAntiVirusScan, Offboard, LiveResponse, CollectInvestigationPackage, Isolate, Unisolate, StopAndQuarantineFile, RestrictCodeExecution, and UnrestrictCodeExecution. | keyword | + +### Vulnerability + +This is the `vulnerability` dataset. + +#### Example + +An example event for `vulnerability` looks as following: + +```json +{ + "@timestamp": "2025-05-27T10:44:32.171Z", + "agent": { + "ephemeral_id": "c05fba64-b162-439c-bbab-497080970957", + "id": "18e5121d-7626-44f8-80d5-f01c9785dfa3", + "name": "elastic-agent-40132", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "microsoft_defender_endpoint.vulnerability", + "namespace": "38546", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "18e5121d-7626-44f8-80d5-f01c9785dfa3", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "dataset": "microsoft_defender_endpoint.vulnerability", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_--2025-05-27T10:44:33.192017651Z", + "ingested": "2025-05-27T10:44:33Z", + "kind": "event", + "original": "{\"affectedMachine\":{\"aadDeviceId\":null,\"agentVersion\":\"30.124092.2.0\",\"computerDnsName\":\"bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01\",\"cveId\":\"CVE-2025-3074\",\"deviceValue\":\"Normal\",\"exclusionReason\":null,\"exposureLevel\":\"Low\",\"firstSeen\":\"2025-01-08T13:05:05.3483549Z\",\"fixingKbId\":null,\"healthStatus\":\"Inactive\",\"id\":\"94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-\",\"ipAddresses\":[{\"ipAddress\":\"216.160.83.56\",\"macAddress\":\"000C2910F1DA\",\"operationalStatus\":\"Up\",\"type\":\"Other\"}],\"isAadJoined\":false,\"isExcluded\":false,\"isPotentialDuplication\":false,\"lastExternalIpAddress\":\"1.128.0.0\",\"lastIpAddress\":\"175.16.199.0\",\"lastSeen\":\"2025-01-08T13:15:03.694371Z\",\"machineId\":\"94819846155826828d1603b913c67fe336d81295\",\"machineTags\":[\"test tag\"],\"managedBy\":\"MicrosoftDefenderForEndpoint\",\"managedByStatus\":\"Success\",\"mergedIntoMachineId\":null,\"onboardingStatus\":\"Onboarded\",\"osArchitecture\":\"64-bit\",\"osBuild\":6,\"osPlatform\":\"Ubuntu\",\"osProcessor\":\"x64\",\"osVersion\":null,\"productName\":\"edge_chromium-based\",\"productVendor\":\"microsoft\",\"productVersion\":\"134.0.3124.72\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"riskScore\":\"None\",\"severity\":\"Medium\",\"version\":\"20.4\",\"vmMetadata\":null},\"cveSupportability\":\"Supported\",\"cvssV3\":6.5,\"cvssVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C\",\"description\":\"Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]\",\"epss\":0.00111,\"exploitInKit\":false,\"exploitTypes\":[],\"exploitUris\":[],\"exploitVerified\":false,\"exposedMachines\":2,\"firstDetected\":\"2025-04-01T19:52:39Z\",\"id\":\"CVE-2025-3074\",\"name\":\"CVE-2025-3074\",\"patchFirstAvailable\":null,\"publicExploit\":false,\"publishedOn\":\"2025-04-01T00:00:00Z\",\"severity\":\"Medium\",\"tags\":[\"test\"],\"updatedOn\":\"2025-04-08T00:00:00Z\"}", + "type": [ + "info" + ] + }, + "group": { + "id": "0" + }, + "host": { + "architecture": "x64", + "hostname": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "id": "94819846155826828d1603b913c67fe336d81295", + "ip": [ + "1.128.0.0" + ], + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "os": { + "name": "Ubuntu 20.4", + "platform": "Ubuntu", + "type": "linux", + "version": "20.4" + }, + "risk": { + "calculated_level": "None" + } + }, + "input": { + "type": "cel" + }, + "message": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "microsoft_defender_endpoint": { + "vulnerability": { + "affected_machine": { + "agent_version": "30.124092.2.0", + "computer_dns_name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "device_value": "Normal", + "exposure_level": "Low", + "first_seen": "2025-01-08T13:05:05.348Z", + "health_status": "Inactive", + "id": "94819846155826828d1603b913c67fe336d81295-_-CVE-2025-3074-_-microsoft-_-edge_chromium-based-_-134.0.3124.72-_-", + "ip_addresses": [ + { + "ip_address": "216.160.83.56", + "mac_address": "00-0C-29-10-F1-DA", + "operational_status": "Up", + "type": "Other" + } + ], + "is_aad_joined": false, + "is_excluded": false, + "is_potential_duplication": false, + "last_external_ip_address": "1.128.0.0", + "last_ip_address": "175.16.199.0", + "last_seen": "2025-01-08T13:15:03.694Z", + "machine_id": "94819846155826828d1603b913c67fe336d81295", + "machine_tags": [ + "test tag" + ], + "managed_by": "MicrosoftDefenderForEndpoint", + "managed_by_status": "Success", + "onboarding_status": "Onboarded", + "os_architecture": "64-bit", + "os_build": 6, + "os_platform": "Ubuntu", + "os_processor": "x64", + "product_name": "edge_chromium-based", + "product_vendor": "microsoft", + "product_version": "134.0.3124.72", + "rbac_group_id": "0", + "risk_score": "None", + "severity": "Medium", + "version": "20.4" + }, + "cve_supportability": "Supported", + "cvss_v3": 6.5, + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "epss": 0.00111, + "exploit_in_kit": false, + "exploit_verified": false, + "exposed_machines": 2, + "first_detected": "2025-04-01T19:52:39.000Z", + "id": "CVE-2025-3074", + "impact": "Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security.", + "name": "CVE-2025-3074", + "public_exploit": false, + "published_on": "2025-04-01T00:00:00.000Z", + "remediation": "Apply the latest patches and updates provided by the respective vendors.", + "severity": "Medium", + "tags": [ + "test" + ], + "updated_on": "2025-04-08T00:00:00.000Z" + } + }, + "observer": { + "product": "Microsoft 365 Defender", + "vendor": "Microsoft" + }, + "package": { + "name": "edge_chromium-based", + "version": "134.0.3124.72" + }, + "related": { + "hosts": [ + "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "94819846155826828d1603b913c67fe336d81295" + ], + "ip": [ + "216.160.83.56", + "1.128.0.0", + "175.16.199.0" + ] + }, + "resource": { + "id": "94819846155826828d1603b913c67fe336d81295", + "name": "bdp3449-ub20-2-4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "microsoft_defender_endpoint-vulnerability" + ], + "vulnerability": { + "classification": "CVSS", + "description": "Summary: An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website. Impact: Exploitation of this vulnerability could lead to UI spoofing or bypassing security restrictions, potentially compromising user trust and security. AdditionalInformation: This vulnerability is associated with Google Chrome and has implications for Microsoft Edge (Chromium-based) due to shared code ingestion. Refer to Google Chrome Releases for further details. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]", + "enumeration": "CVE", + "id": "CVE-2025-3074", + "published_date": "2025-04-01T00:00:00.000Z", + "reference": "https://www.cve.org/CVERecord?id=CVE-2025-3074", + "scanner": { + "vendor": "Microsoft" + }, + "score": { + "base": 6.5 + }, + "severity": "Medium", + "title": "An inappropriate implementation in the Downloads feature of Google Chrome versions prior to 135.0.7049.52 could allow a remote attacker to perform UI spoofing via a crafted HTML page. This vulnerability, classified with a low severity by Chromium, may also enable bypassing security restrictions when a victim visits a specially crafted website." + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| microsoft_defender_endpoint.vulnerability.affected_machine.aad_device_id | Microsoft Entra Device ID (when machine is Microsoft Entra joined). | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.agent_version | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.computer_dns_name | Machine fully qualified name. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.device_value | The value of the device. Possible values are: Normal, Low, and High. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.exclusion_reason | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Low, Medium, and High. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.first_seen | First date and time where the machine was observed by Microsoft Defender for Endpoint. | date | +| microsoft_defender_endpoint.vulnerability.affected_machine.fixing_kb_id | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.health_status | machine health status. Possible values are: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, and Unknown. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.id | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.ip_address | | ip | +| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.mac_address | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.operational_status | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.ip_addresses.type | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.is_aad_joined | | boolean | +| microsoft_defender_endpoint.vulnerability.affected_machine.is_excluded | | boolean | +| microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication | | boolean | +| microsoft_defender_endpoint.vulnerability.affected_machine.last_external_ip_address | Last IP through which the machine accessed the internet. | ip | +| microsoft_defender_endpoint.vulnerability.affected_machine.last_ip_address | Last IP on local NIC on the machine. | ip | +| microsoft_defender_endpoint.vulnerability.affected_machine.last_seen | Time and date of the last received full device report. A device typically sends a full report every 24 hours. NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update. | date | +| microsoft_defender_endpoint.vulnerability.affected_machine.machine_id | Machine identity. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.machine_tags | Set of machine tags. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.managed_by | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.managed_by_status | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.merged_into_machine_id | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.onboarding_status | Status of machine onboarding. Possible values are: onboarded, CanBeOnboarded, Unsupported, and InsufficientInfo. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.os_architecture | Operating system architecture. Possible values are: 32-bit, 64-bit. Use this property instead of osProcessor. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.os_build | Operating system build number. | long | +| microsoft_defender_endpoint.vulnerability.affected_machine.os_platform | Operating system platform. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.os_processor | Operating system processor. Use osArchitecture property instead. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.os_version | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.product_name | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.product_vendor | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.product_version | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_id | Machine group ID. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.rbac_group_name | Machine group Name. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.risk_score | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: None, Informational, Low, Medium, and High. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.severity | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.version | Operating system version. | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.cloud_provider | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.resource_id | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.subscription_id | | keyword | +| microsoft_defender_endpoint.vulnerability.affected_machine.vmMetadata.vm_id | | keyword | +| microsoft_defender_endpoint.vulnerability.cve_supportability | Possible values are: Supported, Not Supported, or SupportedInPremium. | keyword | +| microsoft_defender_endpoint.vulnerability.cvss_v3 | CVSS v3 score. | double | +| microsoft_defender_endpoint.vulnerability.cvss_vector | A compressed textual representation that reflects the values used to derive the score. | keyword | +| microsoft_defender_endpoint.vulnerability.description | Vulnerability description. | keyword | +| microsoft_defender_endpoint.vulnerability.epss | Represents the probability that a vulnerability will be exploited. This probability is expressed as a number between 0 and 1 (0%-100%) according to the EPSS model. | double | +| microsoft_defender_endpoint.vulnerability.exploit_in_kit | Exploit is part of an exploit kit. | boolean | +| microsoft_defender_endpoint.vulnerability.exploit_types | Exploit affect. Possible values are: Local privilege escalation, Denial of service, or Local. | keyword | +| microsoft_defender_endpoint.vulnerability.exploit_uris | Exploit source URLs. | keyword | +| microsoft_defender_endpoint.vulnerability.exploit_verified | Exploit is verified to work. | boolean | +| microsoft_defender_endpoint.vulnerability.exposed_machines | Number of exposed devices. | long | +| microsoft_defender_endpoint.vulnerability.first_detected | | date | +| microsoft_defender_endpoint.vulnerability.id | Vulnerability ID. | keyword | +| microsoft_defender_endpoint.vulnerability.impact | | keyword | +| microsoft_defender_endpoint.vulnerability.name | Vulnerability title. | keyword | +| microsoft_defender_endpoint.vulnerability.patch_first_available | | date | +| microsoft_defender_endpoint.vulnerability.public_exploit | Public exploit exists. | boolean | +| microsoft_defender_endpoint.vulnerability.published_on | Date when vulnerability was published. | date | +| microsoft_defender_endpoint.vulnerability.remediation | | keyword | +| microsoft_defender_endpoint.vulnerability.severity | Vulnerability Severity. Possible values are: Low, Medium, High, or Critical. | keyword | +| microsoft_defender_endpoint.vulnerability.tags | | keyword | +| microsoft_defender_endpoint.vulnerability.updated_on | Date when vulnerability was updated. | date | +| package.fixed_version | | keyword | +| package.name | Package name | keyword | +| package.version | Package version | keyword | +| resource.id | | keyword | +| resource.name | | keyword | +| vulnerability.published_date | | date | +| vulnerability.title | | keyword | diff --git a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_action_overview.png b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_action_overview.png index 1bac5ae25d3..3551d76a326 100644 Binary files a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_action_overview.png and b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_action_overview.png differ diff --git a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_overview.png b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_overview.png index 5dd81bb6da3..fd833765bcb 100644 Binary files a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_overview.png and b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-machine_overview.png differ diff --git a/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png new file mode 100644 index 00000000000..e5b735db298 Binary files /dev/null and b/packages/microsoft_defender_endpoint/img/microsoft_defender_endpoint-vulnerability_overview.png differ diff --git a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215.json b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215.json index c525bd6f2fb..5a68b49e565 100644 --- a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215.json +++ b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "event.action", - "id": "2bd619cc-478b-4f78-a4cf-e42c23cb2558", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -32,7 +31,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "microsoft_defender_endpoint.machine_action.status", - "id": "dd6a586f-ff92-4736-8a20-aef4905fa3c2", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -112,7 +110,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- [Machine Overview](#/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60)\n- **Machine Action Overview**\n\n**Overview**\n\n\nThis dashboard provides a comprehensive view of machine actions logs from Microsoft Defender for Endpoint integration. It showcases trends in actions over time, distribution by status, type, and network isolation scope. It showcases the top 10 machines and requestors who performed the action.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", + "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- [Machine Overview](#/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60)\n- **Machine Action Overview**\n- [Vulnerability Overview](#/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n**Overview**\n\n\nThis dashboard provides a comprehensive view of machine actions logs from Microsoft Defender for Endpoint integration. It showcases trends in actions over time, distribution by status, type, and network isolation scope. It showcases the top 10 machines and requestors who performed the action.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", "openLinksInNewTab": false }, "title": "", @@ -128,6 +126,7 @@ "y": 0 }, "panelIndex": "7e71ce31-e773-4c68-84c7-0119158052a7", + "title": "Table of Contents", "type": "visualization" }, { @@ -1085,7 +1084,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-12T16:39:37.934Z", + "created_at": "2025-05-08T09:47:40.717Z", "id": "microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215", "managed": false, "references": [ @@ -1094,6 +1093,16 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", + "type": "tag" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, { "id": "logs-*", "name": "1fe71f4e-e415-432f-8113-8b287407de97:indexpattern-datasource-layer-c196d639-0b5f-42a4-9349-e0d466cc3951", @@ -1126,30 +1135,21 @@ }, { "id": "logs-*", - "name": "controlGroup_1ca4f300-9ab3-4219-bd9e-dd25cb181516:optionsListDataView", + "name": "controlGroup_2bd619cc-478b-4f78-a4cf-e42c23cb2558:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_5360133e-c975-4354-b357-6fb0acac04ee:optionsListDataView", + "name": "controlGroup_dd6a586f-ff92-4736-8a20-aef4905fa3c2:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" - }, - { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", - "type": "tag" - }, - { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-security-solution-default", - "type": "tag" } ], "type": "dashboard", - "typeMigrationVersion": "10.2.0" + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json new file mode 100644 index 00000000000..c9cfc943192 --- /dev/null +++ b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8.json @@ -0,0 +1,2120 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "496b8374-9f81-43cb-9cbd-cc5859043d5e": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": null, + "existsSelected": null, + "fieldName": "vulnerability.severity", + "hideActionBar": null, + "hideExclude": null, + "hideExists": null, + "hideSort": null, + "placeholder": null, + "runPastTimeout": null, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": null, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "a5663e6a-f7f7-4e77-ae24-5b54abad99d2": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "microsoft_defender_endpoint.vulnerability.affected_machine.exposure_level", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Exposure Level" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "host.risk.calculated_level", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Risk Calculated Level" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "ee7a009c-c029-4f58-b54d-71fbdf297630": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "host.os.platform", + "hideActionBar": null, + "hideExclude": null, + "hideExists": null, + "hideSort": null, + "placeholder": null, + "runPastTimeout": null, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": null, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "OS Platform" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "This dashboard shows vulnerability and affected machine logs collected by the Microsoft Defender Endpoint integration.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_defender_endpoint.vulnerability" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_defender_endpoint.vulnerability" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "bb5c3bc7-2da1-4a15-b588-9e2fcda80836": { + "columnOrder": [ + "b970edb6-7fb6-48f0-af44-b057acbebb37", + "d559fa87-35f2-4096-ba63-b938a3975194" + ], + "columns": { + "b970edb6-7fb6-48f0-af44-b057acbebb37": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected Host", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of vulnerability.id", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "d559fa87-35f2-4096-ba63-b938a3975194": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b970edb6-7fb6-48f0-af44-b057acbebb37", + "width": 357.5 + }, + { + "columnId": "d559fa87-35f2-4096-ba63-b938a3975194" + } + ], + "layerId": "bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "layerType": "data" + } + }, + "title": "Top 10 Affected Host with Highest Vulnerability", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", + "w": 24, + "x": 0, + "y": 50 + }, + "panelIndex": "1fc86dc4-4bd3-4484-9622-f6d14a335bed", + "title": "Top 10 Affected Host with Highest Vulnerability [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "93fbd5b8-bcdd-402b-9efb-2a24a2da900f": { + "columnOrder": [ + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828", + "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + ], + "columns": { + "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected software product", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "package.name" + }, + "26f9a0ca-049e-4084-86bb-b709d7ec37bf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1ed5fdf0-b270-4d55-9f27-f2f5dd92b828" + }, + { + "columnId": "26f9a0ca-049e-4084-86bb-b709d7ec37bf" + } + ], + "layerId": "93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "layerType": "data" + } + }, + "title": "Top 10 Affected software product", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "w": 24, + "x": 24, + "y": 50 + }, + "panelIndex": "6d64f578-66e2-49f3-ae06-911dae110ee7", + "title": "Top 10 Affected Software Product [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "grid": { + "columns": { + "@timestamp": { + "width": 208 + }, + "host.id": { + "width": 299 + }, + "host.ip": { + "width": 140 + }, + "host.name": { + "width": 120 + }, + "host.risk.calculated_level": { + "width": 121 + }, + "microsoft_defender_endpoint.vulnerability.affected_machine.last_seen": { + "width": 246 + }, + "microsoft_defender_endpoint.vulnerability.updated_on": { + "width": 222 + } + } + } + }, + "gridData": { + "h": 22, + "i": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "w": 48, + "x": 0, + "y": 67 + }, + "panelIndex": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "panelRefName": "panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "title": "Affected Machines Essential Details [Logs Microsoft Defender Endpoint]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "columnOrder": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "columns": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Machine ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "host.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Risk Calculated Level", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.risk.calculated_level" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Critical" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "High" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Medium" + ] + }, + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by Severity", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "cbade69a-97e6-4a08-8e43-4e0824a89840", + "w": 16, + "x": 32, + "y": 35 + }, + "panelIndex": "cbade69a-97e6-4a08-8e43-4e0824a89840", + "title": "Affected Machines by Risk Calculated Level [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "95d5d85e-ec68-4d5f-a5e8-f69441a959c0": { + "columnOrder": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b", + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "columns": { + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE Supportability ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9f2f59ce-ffd5-42ca-a6b3-def879393810", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "microsoft_defender_endpoint.vulnerability.cve_supportability" + }, + "9f2f59ce-ffd5-42ca-a6b3-def879393810": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Vulnerability ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "9f2f59ce-ffd5-42ca-a6b3-def879393810" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8b2f13ef-1b5c-42c2-8bae-79f02213e95b" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by CVE Supportability ", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "w": 16, + "x": 0, + "y": 35 + }, + "panelIndex": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315", + "title": "Vulnerability by CVE Supportability [Logs Microsoft Defender Endpoint] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4f129361-0c18-4ba1-9994-a1e4e565c1e5": { + "columnOrder": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465", + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "columns": { + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Vulnerability ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1470f546-f38d-4cc4-90b3-7a4c9ce856e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vulnerability.severity" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Critical" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 7, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "High" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 1, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "Medium" + ] + }, + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "1470f546-f38d-4cc4-90b3-7a4c9ce856e7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "882ebbcb-876b-44c8-a9cd-a9eca6ed2465" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Vulnerabilities by Severity", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "50be5d33-6110-4584-8163-29335c338697", + "w": 16, + "x": 32, + "y": 18 + }, + "panelIndex": "50be5d33-6110-4584-8163-29335c338697", + "title": "Vulnerability by Severity [Logs Microsoft Defender Endpoint] ", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 35, + "i": "72697a0d-690e-496e-9809-389acd1c5cc6", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "72697a0d-690e-496e-9809-389acd1c5cc6", + "panelRefName": "panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d448b66c-867d-4229-b46b-098a674230f6": { + "columnOrder": [ + "9521f331-1199-450b-9f3d-dc1024c90024" + ], + "columns": { + "9521f331-1199-450b-9f3d-dc1024c90024": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Verified Exploit Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploit_verified", + "index": "cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "key": "microsoft_defender_endpoint.vulnerability.exploit_verified", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploit_verified": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "d448b66c-867d-4229-b46b-098a674230f6", + "layerType": "data", + "metricAccessor": "9521f331-1199-450b-9f3d-dc1024c90024" + } + }, + "title": "Total Verified Exploit Vulnerabilities", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.exploit_verified", + "index": "logs-*", + "key": "microsoft_defender_endpoint.vulnerability.exploit_verified", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.exploit_verified": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "w": 8, + "x": 10, + "y": 0 + }, + "panelIndex": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1", + "title": "Total Verified Exploit Vulnerabilities [Logs Microsoft Defender Endpoint] ", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6a1c3042-4087-44c0-a950-624946feea03", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "59044096-edd2-4c17-9b59-05fcfc384e6b": { + "columnOrder": [ + "ebbe371e-c41c-404a-b40e-b28610cdcab8" + ], + "columns": { + "ebbe371e-c41c-404a-b40e-b28610cdcab8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Public Exploit Vulnerability", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.public_exploit", + "index": "6a1c3042-4087-44c0-a950-624946feea03", + "key": "microsoft_defender_endpoint.vulnerability.public_exploit", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.public_exploit": true + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "59044096-edd2-4c17-9b59-05fcfc384e6b", + "layerType": "data", + "metricAccessor": "ebbe371e-c41c-404a-b40e-b28610cdcab8" + } + }, + "title": "Total Public Exploit Vulnerabilities", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.public_exploit", + "index": "logs-*", + "key": "microsoft_defender_endpoint.vulnerability.public_exploit", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "microsoft_defender_endpoint.vulnerability.public_exploit": true + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "w": 8, + "x": 10, + "y": 6 + }, + "panelIndex": "274078cb-5fb3-43cd-a025-1eb787e93a5e", + "title": "Total Public Exploit Vulnerabilities [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7f9d3821-7e68-4bb8-a189-190e04533a7d": { + "columnOrder": [ + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + ], + "columns": { + "f2dc92c3-ebd9-4846-98ce-bda90b9c7505": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Affected Products", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft_defender_endpoint.vulnerability.affected_machine.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "7f9d3821-7e68-4bb8-a189-190e04533a7d", + "layerType": "data", + "metricAccessor": "f2dc92c3-ebd9-4846-98ce-bda90b9c7505" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 6, + "i": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "w": 8, + "x": 10, + "y": 12 + }, + "panelIndex": "2bb8f3a4-3123-413d-aacc-2e7c2721b468", + "title": "Total Affected Products [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "693c18a1-a856-4f59-a87e-6f58ecb73834": { + "columnOrder": [ + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d", + "689d4347-c58d-469b-8703-104286c8497a" + ], + "columns": { + "689d4347-c58d-469b-8703-104286c8497a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f70ba21e-c3f3-4541-9690-3d5bddf9a19d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerability Updated On Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": true, + "includeEmptyRows": true, + "interval": "30d" + }, + "scale": "interval", + "sourceField": "microsoft_defender_endpoint.vulnerability.updated_on" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "689d4347-c58d-469b-8703-104286c8497a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "693c18a1-a856-4f59-a87e-6f58ecb73834", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "f70ba21e-c3f3-4541-9690-3d5bddf9a19d" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Vulnerabilities time line over First Seen", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "d50a1111-11a2-4540-b788-dd116022b873", + "w": 30, + "x": 18, + "y": 0 + }, + "panelIndex": "d50a1111-11a2-4540-b788-dd116022b873", + "title": "Vulnerability over Time [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f83347b5-978e-4753-a26a-d40d0a549867": { + "columnOrder": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4", + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "columns": { + "64974bb9-da5e-4df7-b627-40f953c6e2b4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf620d80-f648-405b-94ac-3d6834fdb1a4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.platform" + }, + "bf620d80-f648-405b-94ac-3d6834fdb1a4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Count of Machine ID", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "host.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f83347b5-978e-4753-a26a-d40d0a549867", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "bf620d80-f648-405b-94ac-3d6834fdb1a4" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "64974bb9-da5e-4df7-b627-40f953c6e2b4" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "OS Distribution of Affected Machines", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "w": 16, + "x": 16, + "y": 35 + }, + "panelIndex": "be800cbb-a57d-440a-84e3-4233103d3bbb", + "title": "Affected Machines by OS [Logs Microsoft Defender Endpoint]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c2ecbde4-fc03-46a3-a001-d384d24c2c0b": { + "columnOrder": [ + "4ab972e9-380a-426c-98e1-7acd0b9125d1", + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], + "columns": { + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "4ab972e9-380a-426c-98e1-7acd0b9125d1": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Vulnerabillity First Seen", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": true, + "includeEmptyRows": false, + "interval": "5m" + }, + "scale": "interval", + "sourceField": "microsoft_defender_endpoint.vulnerability.first_detected" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"microsoft_defender_endpoint.vulnerability\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08b3cac5-98c3-4192-ad0f-0ca04e9e4b20" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "4ab972e9-380a-426c-98e1-7acd0b9125d1" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "legendStats": [], + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Vulnerabilities over Time", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"microsoft_defender_endpoint.vulnerability\"" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "w": 22, + "x": 10, + "y": 18 + }, + "panelIndex": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394", + "title": "Vulnerability over First Seen [Logs Microsoft Defender Endpoint]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-4h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Microsoft Defender Endpoint] Vulnerability Overview", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T09:47:41.958Z", + "id": "microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", + "name": "c457e5a3-7fc2-407c-b4a6-73cbca5c0406:panel_c457e5a3-7fc2-407c-b4a6-73cbca5c0406", + "type": "search" + }, + { + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "name": "72697a0d-690e-496e-9809-389acd1c5cc6:panel_72697a0d-690e-496e-9809-389acd1c5cc6", + "type": "visualization" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", + "type": "tag" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, + { + "id": "logs-*", + "name": "1fc86dc4-4bd3-4484-9622-f6d14a335bed:indexpattern-datasource-layer-bb5c3bc7-2da1-4a15-b588-9e2fcda80836", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d64f578-66e2-49f3-ae06-911dae110ee7:indexpattern-datasource-layer-93fbd5b8-bcdd-402b-9efb-2a24a2da900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cbade69a-97e6-4a08-8e43-4e0824a89840:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f1d140f-1e01-4d38-a8ca-2ef62ca71315:indexpattern-datasource-layer-95d5d85e-ec68-4d5f-a5e8-f69441a959c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50be5d33-6110-4584-8163-29335c338697:indexpattern-datasource-layer-4f129361-0c18-4ba1-9994-a1e4e565c1e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:indexpattern-datasource-layer-d448b66c-867d-4229-b46b-098a674230f6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba0a469-16ee-4f04-ae89-a2aa29e299f1:cdc40fd4-75a6-4f65-aff2-ab1b69826140", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:indexpattern-datasource-layer-59044096-edd2-4c17-9b59-05fcfc384e6b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "274078cb-5fb3-43cd-a025-1eb787e93a5e:6a1c3042-4087-44c0-a950-624946feea03", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2bb8f3a4-3123-413d-aacc-2e7c2721b468:indexpattern-datasource-layer-7f9d3821-7e68-4bb8-a189-190e04533a7d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d50a1111-11a2-4540-b788-dd116022b873:indexpattern-datasource-layer-693c18a1-a856-4f59-a87e-6f58ecb73834", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be800cbb-a57d-440a-84e3-4233103d3bbb:indexpattern-datasource-layer-f83347b5-978e-4753-a26a-d40d0a549867", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cd4342af-24cb-4c1c-b72f-3e0f9de7f394:indexpattern-datasource-layer-c2ecbde4-fc03-46a3-a001-d384d24c2c0b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_496b8374-9f81-43cb-9cbd-cc5859043d5e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ee7a009c-c029-4f58-b54d-71fbdf297630:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_a5663e6a-f7f7-4e77-ae24-5b54abad99d2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e7dd70a2-2ddd-4dfb-a2a3-b96bfa5b2d08:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60.json b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60.json index 8bb7fdfe579..6752715c161 100644 --- a/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60.json +++ b/packages/microsoft_defender_endpoint/kibana/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60.json @@ -20,7 +20,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "534c79a7-3b8c-4098-8d35-8e5ff3add156", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -47,7 +46,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "e019559c-76b8-4796-a18d-fb4156c0f1ff", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -74,7 +72,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "f8b3cc46-d28f-4485-a7bf-8b429713cec4", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -157,7 +154,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- **Machine Overview**\n- [Machine Action Overview](#/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215)\n\n**Overview**\n\nThis dashboard displays key insights based on machine logs from the Microsoft Defender for Endpoint integration. It includes metrics for active, inactive and total machines, visual breakdowns of machines by health status, operating system, exposure level, and risk level, along with detailed information about each machine.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", + "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- **Machine Overview**\n- [Machine Action Overview](#/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215)\n- [Vulnerability Overview](#/dashboard/microsoft_defender_endpoint-afb93ff7-9903-4d91-9028-9fe9c5a434f8)\n\n**Overview**\n\nThis dashboard displays key insights based on machine logs from the Microsoft Defender for Endpoint integration. It includes metrics for active, inactive and total machines, visual breakdowns of machines by health status, operating system, exposure level, and risk level, along with detailed information about each machine.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", "openLinksInNewTab": false }, "title": "", @@ -1215,7 +1212,7 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-12T16:39:38.206Z", + "created_at": "2025-05-08T09:47:40.934Z", "id": "microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60", "managed": false, "references": [ @@ -1224,6 +1221,16 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", + "type": "tag" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, { "id": "logs-*", "name": "6e10a325-39f7-4343-beb7-e76e6e432252:indexpattern-datasource-layer-4a8f8bb3-3fdb-4bbb-be6e-1738d2423e4d", @@ -1271,35 +1278,26 @@ }, { "id": "logs-*", - "name": "controlGroup_94cd7286-1ea1-44ac-bc15-540c2b6c67ee:optionsListDataView", + "name": "controlGroup_f8b3cc46-d28f-4485-a7bf-8b429713cec4:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_aa52f050-d193-4bc9-8619-a26b3fc42785:optionsListDataView", + "name": "controlGroup_e019559c-76b8-4796-a18d-fb4156c0f1ff:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_4ce05081-9ec4-47d3-927b-404e29c67d53:optionsListDataView", + "name": "controlGroup_534c79a7-3b8c-4098-8d35-8e5ff3add156:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" - }, - { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", - "type": "tag" - }, - { - "id": "microsoft_defender_endpoint-security-solution-default", - "name": "tag-ref-security-solution-default", - "type": "tag" } ], "type": "dashboard", - "typeMigrationVersion": "10.2.0" + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" } \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json b/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json new file mode 100644 index 00000000000..af4db767133 --- /dev/null +++ b/packages/microsoft_defender_endpoint/kibana/search/microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "columns": [ + "microsoft_defender_endpoint.vulnerability.affected_machine.last_seen", + "host.id", + "host.ip", + "host.name", + "vulnerability.id", + "host.os.name", + "host.risk.calculated_level", + "microsoft_defender_endpoint.vulnerability.affected_machine.health_status", + "microsoft_defender_endpoint.vulnerability.affected_machine.is_potential_duplication" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "microsoft_defender_endpoint.vulnerability.affected_machine.id", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "microsoft_defender_endpoint.vulnerability.affected_machine.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "microsoft_defender_endpoint.vulnerability.affected_machine.id" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "microsoft_defender_endpoint.vulnerability.updated_on", + "desc" + ] + ], + "timeRestore": false, + "title": "Affected Machines Essential Details [Logs Microsoft Defender Endpoint]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T08:59:15.497Z", + "id": "microsoft_defender_endpoint-4e5cb35c-7a18-4f29-bb69-7e30ab9bbdec", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "microsoft_defender_endpoint-security-solution-default", + "name": "tag-ref-microsoft_defender_endpoint-security-solution-default", + "type": "tag" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json b/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json index a55ca38889d..c13a852858a 100644 --- a/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json +++ b/packages/microsoft_defender_endpoint/kibana/tag/microsoft_defender_endpoint-security-solution-default.json @@ -1,11 +1,11 @@ { "attributes": { - "color": "#D36086", + "color": "#F583B7", "description": "Tag defined in package-spec", "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-12T16:36:10.225Z", + "created_at": "2025-05-07T11:01:44.111Z", "id": "microsoft_defender_endpoint-security-solution-default", "managed": true, "references": [], diff --git a/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json b/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json new file mode 100644 index 00000000000..55d41e978ea --- /dev/null +++ b/packages/microsoft_defender_endpoint/kibana/visualization/microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Table of Contents", + "uiStateJSON": {}, + "version": "1", + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Microsoft Defender for Endpoint**\n\n- [Overview](#/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55)\n- [Machine Overview](#/dashboard/microsoft_defender_endpoint-c89734ca-ab7f-419d-b665-50076cceee60)\n- [Machine Action Overview](#/dashboard/microsoft_defender_endpoint-6a043fee-1e3d-454b-96d1-159e6efce215)\n- **Vulnerability Overview**\n\n**Overview**\n\nThis dashboard is designed to provide a comprehensive view of vulnerability data and affected machine ingested from Microsoft Defender Endpoint.\n\nIt highlights total public and verified exploit counts, trends over time, and the top affected hosts and software. Visuals include severity breakdowns, CVE supportability, OS distribution, and essential vulnerability details for deeper analysis.\n\n[Integration Page](/app/integrations/detail/microsoft_defender_endpoint/overview)", + "openLinksInNewTab": false + }, + "title": "Table of Contents", + "type": "markdown" + } + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-05-08T08:59:15.497Z", + "id": "microsoft_defender_endpoint-4f3a6702-9642-4392-9b34-ceb1447e09a7", + "managed": true, + "references": [], + "type": "visualization", + "typeMigrationVersion": "8.5.0" +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index fa4c898f965..89a052c1d92 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.2.3" +format_version: "3.3.2" name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "2.37.0" +version: "2.38.0" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - "security" @@ -22,6 +22,9 @@ policy_templates: organization: security division: engineering team: security-service-integrations + resources: + requests: + memory: 4Gi # Due to the large volume of data being processed in memory, a 4 GB allocation is required for agentless deployment-anything less may lead to out-of-memory (OOM) issue. inputs: - type: httpjson title: "Collect Microsoft Defender for Endpoint logs via API" @@ -142,6 +145,10 @@ screenshots: title: Machine Action Overview Dashboard size: 600x600 type: image/png + - src: /img/microsoft_defender_endpoint-vulnerability_overview.png + title: Vulnerability Overview Dashboard + size: 600x600 + type: image/png owner: github: elastic/security-service-integrations type: elastic