[Microsoft_Defender_Cloud] Initial Release for the Microsoft Defender for Cloud #6593
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
💚 Build Succeeded
History
|
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
reviewed
Jun 28, 2023
.github/CODEOWNERS
Outdated
| @@ -242,3 +242,4 @@ | |||
| /packages/statsd_input @elastic/obs-infraobs-integrations | |||
| /packages/zeronetworks @elastic/security-external-integrations | |||
| /packages/prometheus_input @elastic/obs-infraobs-integrations | |||
| /packages/microsoft_defender_cloud @elastic/security-external-integrations | |||
There was a problem hiding this comment.
Please add this in sort order.
|
|
||
| ## Data streams | ||
|
|
||
| The Microsoft Defender for Cloud integration collects one type of data : event. |
There was a problem hiding this comment.
Suggested change
| The Microsoft Defender for Cloud integration collects one type of data : event. | |
| The Microsoft Defender for Cloud integration collects one type of data: event. |
|
|
||
| ### To collect data from Microsoft Azure Event Hub, follow the below steps: | ||
|
|
||
| - Configure the microsoft defender for cloud on azure subscription. For more detail, refer to the link [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/get-started). |
There was a problem hiding this comment.
Suggested change
| - Configure the microsoft defender for cloud on azure subscription. For more detail, refer to the link [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/get-started). | |
| - Configure the Microsoft Defender for Cloud on Azure subscription. For more detail, refer to the link [here](https://learn.microsoft.com/en-us/azure/defender-for-cloud/get-started). |
| on_failure: | ||
| - append: | ||
| field: error.message | ||
| value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' |
There was a problem hiding this comment.
This is not currently a correct message; it includes a reference to "fail-{{{_ingest.on_failure_processor_tag}}}" which is not placed anywhere. There are cases where this is done in other packages, but this is not done consistently where this error message is used. We need to make a decision about whether the machine-friendly tag version is going to be used and make sure the human-friendly message is consistent with that.
There was a problem hiding this comment.
The format that's here includes reference to "fail-{{{_ingest.on_failure_processor_tag}}}" as a tag. There is no tag of that format added in this pipeline. This was done in 74f8fc4 for checkpoint, and I think for some others in other commits. Either we should remove this reference to the tag or the tag should be added as it is in that commit. I don't know which is the better solution. @P1llus do you have a view?
It probably should suffice to remove the "fail-" prefix.
There was a problem hiding this comment.
@efd6 - I recall the discussion on this, and we opted against using the -fail processor because if the pipeline reaches the -fail processor, it will stop the execution of any further code. I agree on removing fail- suffix as with that whole message looks mess up with fail keywords.
There was a problem hiding this comment.
The alternative would be to add the "fail-{{{_ingest.on_failure_processor_tag}}}" value to error.message as well, but I agree, not doing that and trimming the prefix is probably the way to go.
Comment on lines
66
to
70
| - set: | ||
| field: event.type | ||
| value: [indicator] | ||
| tag: set_event_type | ||
| if: ctx.json?.alerttype != null && ['arm_anomalousserviceoperation.credentialaccess','arm_anomalousserviceoperation.collection','arm_anomalousserviceoperation.defenseevasion','arm_anomalousserviceoperation.execution','arm_anomalousserviceoperation.impact','arm_anomalousserviceoperation.initialaccess','arm_anomalousserviceoperation.lateralmovement','arm_anomalousserviceoperation.persistence','arm_anomalousserviceoperation.privilegeescalation','arm_unusedaccountpersistence','arm_unusedapppowershellpersistence','arm_unusedappibizapersistence','arm_privilegedroledefinitioncreation','arm_anomalousrbacroleassignment','arm_anomalousoperation.credentialaccess','arm_anomalousoperation.collection','arm_anomalousoperation.defenseevasion','arm_anomalousoperation.execution','arm_anomalousoperation.impact','arm_anomalousoperation.initialaccess','arm_anomalousoperation.lateralmovement','arm_anomalousoperation.persistence','arm_anomalousoperation.privilegeescalation','arm_microburst.runcodeonbehalf','arm_netspi.maintainpersistence','arm_powerzure.runcodeonbehalf','arm_powerzure.maintainpersistence','arm_anomalousclassicroleassignment'].contains(ctx.json.alerttype.toLowerCase()) |
There was a problem hiding this comment.
I'm wondering if this would not be improved from a code maintenance perspective by making it like so:
Suggested change
| - set: | |
| field: event.type | |
| value: [indicator] | |
| tag: set_event_type | |
| if: ctx.json?.alerttype != null && ['arm_anomalousserviceoperation.credentialaccess','arm_anomalousserviceoperation.collection','arm_anomalousserviceoperation.defenseevasion','arm_anomalousserviceoperation.execution','arm_anomalousserviceoperation.impact','arm_anomalousserviceoperation.initialaccess','arm_anomalousserviceoperation.lateralmovement','arm_anomalousserviceoperation.persistence','arm_anomalousserviceoperation.privilegeescalation','arm_unusedaccountpersistence','arm_unusedapppowershellpersistence','arm_unusedappibizapersistence','arm_privilegedroledefinitioncreation','arm_anomalousrbacroleassignment','arm_anomalousoperation.credentialaccess','arm_anomalousoperation.collection','arm_anomalousoperation.defenseevasion','arm_anomalousoperation.execution','arm_anomalousoperation.impact','arm_anomalousoperation.initialaccess','arm_anomalousoperation.lateralmovement','arm_anomalousoperation.persistence','arm_anomalousoperation.privilegeescalation','arm_microburst.runcodeonbehalf','arm_netspi.maintainpersistence','arm_powerzure.runcodeonbehalf','arm_powerzure.maintainpersistence','arm_anomalousclassicroleassignment'].contains(ctx.json.alerttype.toLowerCase()) | |
| - set: | |
| field: event.type | |
| value: [indicator] | |
| tag: set_event_type | |
| if: | | |
| ctx.json?.alerttype != null && [ | |
| 'arm_anomalousserviceoperation.credentialaccess', | |
| 'arm_anomalousserviceoperation.collection', | |
| 'arm_anomalousserviceoperation.defenseevasion', | |
| 'arm_anomalousserviceoperation.execution', | |
| 'arm_anomalousserviceoperation.impact', | |
| 'arm_anomalousserviceoperation.initialaccess', | |
| 'arm_anomalousserviceoperation.lateralmovement', | |
| 'arm_anomalousserviceoperation.persistence', | |
| 'arm_anomalousserviceoperation.privilegeescalation', | |
| 'arm_unusedaccountpersistence', | |
| 'arm_unusedapppowershellpersistence', | |
| 'arm_unusedappibizapersistence', | |
| 'arm_privilegedroledefinitioncreation', | |
| 'arm_anomalousrbacroleassignment', | |
| 'arm_anomalousoperation.credentialaccess', | |
| 'arm_anomalousoperation.collection', | |
| 'arm_anomalousoperation.defenseevasion', | |
| 'arm_anomalousoperation.execution', | |
| 'arm_anomalousoperation.impact', | |
| 'arm_anomalousoperation.initialaccess', | |
| 'arm_anomalousoperation.lateralmovement', | |
| 'arm_anomalousoperation.persistence', | |
| 'arm_anomalousoperation.privilegeescalation', | |
| 'arm_microburst.runcodeonbehalf', | |
| 'arm_netspi.maintainpersistence', | |
| 'arm_powerzure.runcodeonbehalf', | |
| 'arm_powerzure.maintainpersistence', | |
| 'arm_anomalousclassicroleassignment' | |
| ].contains(ctx.json.alerttype.toLowerCase()) |
(similar below)
| return updatedJson; | ||
| } | ||
|
|
||
| def keyMap = new HashMap(); |
There was a problem hiding this comment.
Can this not be defined as a parameter map? (similar elsewhere)
| ignore_missing: true | ||
| - foreach: | ||
| field: microsoft_defender_cloud.event.entities | ||
| if: ctx.microsoft_defender_cloud?.event?.entities != null && ctx.microsoft_defender_cloud.event.entities instanceof List |
There was a problem hiding this comment.
Suggested change
| if: ctx.microsoft_defender_cloud?.event?.entities != null && ctx.microsoft_defender_cloud.event.entities instanceof List | |
| if: ctx.microsoft_defender_cloud?.event?.entities instanceof List |
and similar below
packages/microsoft_defender_cloud/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
15 tasks
efd6
reviewed
Jul 9, 2023
| if: ctx.microsoft_defender_cloud?.event?.entities != null && ctx.microsoft_defender_cloud.event.entities instanceof List | ||
| processor: | ||
| foreach: | ||
| field: _ingest._value.ip_adresses |
| "hostname": "host_name" | ||
| "imagefile": "image_file" | ||
| "imageid": "image_id" | ||
| "ipadresses": "ip_adresses" |
There was a problem hiding this comment.
Suggested change
| "ipadresses": "ip_adresses" | |
| "ipadresses": "ip_addresses" |
| convert: | ||
| field: _ingest._value.address | ||
| type: ip | ||
| tag: convert_ip_adresses_address_to_ip |
There was a problem hiding this comment.
Suggested change
| tag: convert_ip_adresses_address_to_ip | |
| tag: convert_ip_addresses_address_to_ip |
| ignore_failure: true | ||
| processor: | ||
| foreach: | ||
| field: _ingest._value.ip_adresses |
There was a problem hiding this comment.
Suggested change
| field: _ingest._value.ip_adresses | |
| field: _ingest._value.ip_addresses |
| ignore_failure: true | ||
| processor: | ||
| foreach: | ||
| field: _ingest._value.ip_adresses |
There was a problem hiding this comment.
Suggested change
| field: _ingest._value.ip_adresses | |
| field: _ingest._value.ip_addresses |
| convert: | ||
| field: _ingest._value.asset | ||
| type: boolean | ||
| tag: convert_ip_adresses_asset_to_boolean |
There was a problem hiding this comment.
Suggested change
| tag: convert_ip_adresses_asset_to_boolean | |
| tag: convert_ip_addresses_asset_to_boolean |
| convert: | ||
| field: _ingest._value.location.asn | ||
| type: long | ||
| tag: convert_ip_adresses_location_asn_to_long |
There was a problem hiding this comment.
Suggested change
| tag: convert_ip_adresses_location_asn_to_long | |
| tag: convert_ip_addresses_location_asn_to_long |
| ignore_failure: true | ||
| processor: | ||
| foreach: | ||
| field: _ingest._value.ip_adresses |
There was a problem hiding this comment.
Suggested change
| field: _ingest._value.ip_adresses | |
| field: _ingest._value.ip_addresses |
| type: keyword | ||
| - name: image_id | ||
| type: keyword | ||
| - name: ip_adresses |
There was a problem hiding this comment.
Suggested change
| - name: ip_adresses | |
| - name: ip_addresses |
There was a problem hiding this comment.
Can this be downscaled? It's currently 1.23MB.
…astic/integrations into microsoft_defender_cloud-0.1.0
efd6
reviewed
Jul 10, 2023
| {"VendorName":"Microsoft","AlertType":"ARM_AnomalousServiceOperation.CredentialAccess","ProductName":"Microsoft Defender for Cloud","StartTimeUtc":"2023-05-11T13:15:45.0170422Z","EndTimeUtc":"2023-05-11T13:15:45.0170422Z","TimeGenerated":"2023-05-11T13:17:09.0170422Z","ProcessingEndTime":"2023-05-11T13:17:09.0170422Z","Severity":"Medium","Status":"New","ProviderAlertStatus":null,"ConfidenceLevel":null,"ConfidenceScore":null,"ConfidenceReasons":null,"IsIncident":false,"SystemAlertId":"2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d","CorrelationKey":null,"Intent":"PreAttack","AzureResourceId":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","WorkspaceId":"00000000-0000-0000-0000-000000000001","WorkspaceSubscriptionId":"00000000-0000-0000-0000-000000000001","WorkspaceResourceGroup":"Sample-RG","AgentId":null,"CompromisedEntity":"Sample-VM","AlertDisplayName":"[SAMPLE ALERT] Login from a suspicious IP","Description":"THIS IS A SAMPLE ALERT: Your resource has been accessed successfully from an IP address that Microsoft Threat Intelligence has associated with suspicious activity.","Entities":[{"$id":"5","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"Virginia","City":"Washington","Longitude":-78.17197,"Latitude":38.73078,"Asn":8075},"ThreatIntelligence":[{"ProviderName":"AlertSimulator","ThreatType":"Sample-Type","ThreatName":"Sample-Threat","Confidence":1,"ThreatDescription":""}],"Asset":false,"Type":"ip"},{"$id":"6","ImageId":"sample-image:v1","Asset":false,"Type":"container-image"},{"$ref":"6"},{"$id":"5","DnsDomain":"","NTDomain":"","HostName":"Sample-VM","NetBiosName":"Sample-VM","AzureID":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","OMSAgentID":"00000000-0000-0000-0000-000000000001","OSFamily":"Linux","OSVersion":"Linux","Asset":false,"Type":"host"},{"$id":"6","ProcessId":"0x1e49a","CommandLine":"","Host":{"$ref":"5"},"Asset":false,"Type":"process"},{"$id":"7","Name":"Sample-account","Host":{"$ref":"5"},"Sid":"","Asset":false,"Type":"account","LogonId":"0xbd6e"},{"$id":"9","ProcessId":"0x1e99b","CommandLine":"php","CreationTimeUtc":"2023-05-11T13:17:49.1333596Z","ImageFile":{"$ref":"8"},"Account":{"$ref":"7"},"ParentProcess":{"$ref":"6"},"Host":{"$ref":"5"},"Asset":false,"Type":"process"},{"$id":"5","DomainName":"sample.domain","IpAddresses":[{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"California","City":"San Francisco","Longitude":0,"Latitude":0,"Asn":0},"Asset":false,"Type":"ip"}],"HostIpAddress":{"$ref":"6"},"Asset":false,"Type":"dns"},{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"sample","CountryName":"united states","State":"texas","City":"san antonio","Longitude":0,"Latitude":0,"Asn":0,"Carrier":"sample","Organization":"sample-organization","OrganizationType":"sample-organization","CloudProvider":"Azure","SystemService":"sample"},"ThreatIntelligence":[{"ProviderName":"Sample-Provider","ThreatType":"Sample-Threat","ThreatName":"Sample-Threat","Confidence":0.8,"ThreatDescription":"Sample-Threat"}],"Asset":false,"Type":"ip"},{"$id":"5","HostName":"Sample-VM","AzureID":"/SUBSCRIPTIONS/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Compute/virtualMachines/Sample-VM","OMSAgentID":"00000000-0000-0000-0000-000000000000","Asset":false,"Type":"host"},{"$id":"7","Directory":"Sample-fileShare/dummy/path/to","Name":"Sample-Name","FileHashes":[{"$id":"8","Algorithm":"MD5","Value":"Sample-SHA","Asset":false,"Type":"filehash"}],"Asset":false,"Type":"file"},{"$id":"9","Name":"Sample-Name","Category":"Virus","Files":[{"$ref":"8"}],"Asset":false,"Type":"malware"},{"$id":"5","DomainName":"sample.domain","IpAddresses":[{"$id":"6","Address":"81.2.69.142","Location":{"CountryCode":"US","CountryName":"United States","State":"California","City":"San Francisco","Longitude":0,"Latitude":0,"Asn":0},"Asset":false,"Type":"ip"}],"HostIpAddress":{"$ref":"6"},"Asset":false,"Type":"dns"},{"$id":"7","Name":"Sample-account","NTDomain":"Sample-VM","Host":{"$ref":"5"},"Sid":"S-1-5-21-3061399664-1673012318-3185014992-20022","IsDomainJoined":false,"Asset":false,"Type":"account","LogonId":"0x427d8dd9"},{"$id":"7","Name":"Sample-namespace","Cluster":{"$ref":"5"},"Asset":false,"Type":"K8s-namespace"},{"$id":"8","Name":"sample-pod","Namespace":{"$ref":"7"},"Asset":false,"Type":"K8s-pod"},{"$id":"9","Name":"sample-container","Image":{"$ref":"4"},"Pod":{"$ref":"8"},"Asset":false,"Type":"container"},{"$id":"10","ProjectId":"012345678901","ResourceType":"GCP Resource","ResourceName":"Sample-Cluster","Location":"us-central1-c","LocationType":"Zonal","Asset":true,"Type":"gcp-resource","RelatedAzureResourceIds":["/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c"]},{"$id":"7","Name":"Sample-Name","BlobContainer":{"$ref":"5"},"Url":"https://Sample-Storage.blob.core.windows.net/Sample/Sample.txt","Etag":"Sample-Tag","Asset":false,"Type":"blob"},{"$id":"5","Name":"sample","UPNSuffix":"contoso.com","AadTenantId":"00000000-0000-0000-0000-000000000000","AadUserId":"00000000-0000-0000-0000-000000000000","Asset":false,"Type":"account"},{"$id":"5","CloudResource":{"$ref":"4"},"Asset":false,"Type":"K8s-cluster"},{"$id":"8","Directory":"https://Sample-Storage.blob.core.windows.net/Sample","Name":"Sample-Name","FileHashes":[{"$ref":"6"}],"Asset":false,"Type":"file"},{"$id":"10","ProjectId":"012345678901","ResourceType":"GCP Resource","ResourceName":"Sample-Cluster","Location":"us-central1-c","LocationType":"Zonal","Asset":true,"Type":"gcp-resource","RelatedAzureResourceIds":["/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroups/Sample-RG/providers/Microsoft.Security/securityConnectors/gcp-connector/securityentitydata/gcp-clusters-sample-cluster-us-central1-c"]},{"$id":"6","SourceAddress":{"$ref":"5"},"Protocol":"Tcp","Asset":false,"Type":"network-connection"},{"$id":"7","Name":"Sample-Name","StorageResource":{"$ref":"4"},"Asset":false,"Type":"blob-container"},{"$id":"7","ContainerId":"cc8ec8580f4c","Image":{"$ref":"6"},"Asset":false,"Type":"container"},{"$id":"5","Address":"81.2.69.142","Location":{"CountryCode":"IN","CountryName":"United States","State":"Virginia","City":"Washington","Longitude":-78.17197,"Latitude":38.73078,"Asn":8075},"ThreatIntelligence":[{"ProviderName":"AlertSimulator","ThreatType":"Sample-Type","ThreatName":"Sample-Threat","Confidence":1,"ThreatDescription":""}],"Asset":false,"Type":"ip"}],"ExtendedLinks":[{"Href":"https://blog.netspi.com/gathering-bearer-tokens-azure/","Category":null,"Label":"NetSPI blogpost","Type":"webLink"},{"Href":"https://github.com/NetSPI/MicroBurst/blob/master/REST/Get-AZStorageKeysREST.ps1","Category":null,"Label":"MicroBurst source code","Type":"webLink"}],"ResourceIdentifiers":[{"$id":"2","AzureResourceId":"/subscriptions/12cabcb4-86e8-404f-a3d2-1dc9982f45ca","Type":"AzureResource","AzureResourceTenantId":"aa40685b-417d-4664-b4ec-8f7640719adb"},{"$id":"3","AadTenantId":"aa40685b-417d-4664-b4ec-8f7640719adb","Type":"AAD"},{"$id":"3","WorkspaceId":"00000000-0000-0000-0000-000000000001","WorkspaceSubscriptionId":"00000000-0000-0000-0000-000000000001","WorkspaceResourceGroup":"Sample-RG","AgentId":"00000000-0000-0000-0000-00000000000","Type":"LogAnalytics"}],"RemediationSteps":["Go to the firewall settings in order to lock down the firewall as tightly as possible."],"ExtendedProperties":{"resourceType":"Virtual Machine","Investigation steps":"{\"displayValue\":\"How to investigate this alert using logs at your Log Analytics workspace.\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2091064\"}","Potential causes":"An attacker has accessed your database from a potentially suspicious IP; a legitimate user has accessed your database from a potentially suspicious IP.","Client principal name":"Sample-user","Alert Id":"00000000-0000-0000-0000-000000000000","Client IP address":"81.2.69.142","Client IP location":"Sample","Client application":"Sample-app","OMS workspace ID":"00000000-0000-0000-0000-000000000001","OMS agent ID":"00000000-0000-0000-0000-000000000001"},"AlertUri":"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517184898549829577_cdcf9f94-ec53-47a6-ab87-76130f87218d/subscriptionId/12cabcb4-86e8-404f-a3d2-1dc9982f45ca/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus"} |
There was a problem hiding this comment.
Can I confirm that the data comes from the API with the correct spelling?
There was a problem hiding this comment.
Yes , we have verified that and it's identical.
efd6
approved these changes
Jul 11, 2023
|
Package microsoft_defender_cloud - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_defender_cloud |
gizas
pushed a commit
that referenced
this pull request
Sep 5, 2023
… for Cloud (#6593) * Initial Release * Update the changelog entry * Indentified Readme changes from comments on other integration and resolved * Resolve review comments * Conflicts Resolve * Review comments resolve
andrewkroh
added
the
Integration:microsoft_defender_cloud
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Integration release checklist
This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.
All changes
New Package
Dashboards changes
Log dataset changes
How to test this PR locally
Related issues
Screenshots