[Filebeat][New Module] Adding support for Microsoft Defender ATP (ela…

…stic#19197) What does this PR do? This PR adds the initial beta support for Microsoft Defender ATP. Why is it important? Adds new products to the supported list for filebeat Co-authored-by: Lee E. Hinman <lee.e.hinman@elastic.co> (cherry picked from commit fead071)
marc-gr · Jul 14, 2020 · 84b3355 · 84b3355
1 parent 09daf92
commit 84b3355
Show file tree

Hide file tree

Showing 19 changed files with 1,366 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -518,6 +518,28 @@ field. You can revert this change by configuring tags for the module and omittin
 - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376]
 - Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956]
 - Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121]
+- Added Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197]
+- Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713]
+- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713]
+- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713]
+- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs {pull}19713[19713]
+- Add experimental dataset bluecoat/director for Bluecoat Director logs {pull}19713[19713]
+- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713]
+- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713]
+- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713]
+- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713]
+- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713]
+- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713]
+- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713]
+- Add experimental dataset juniper/junos for Juniper Junos OS logs {pull}19713[19713]
+- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs {pull}19713[19713]
+- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs {pull}19713[19713]
+- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs {pull}19713[19713]
+- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs {pull}19713[19713]
+- Add experimental dataset radware/defensepro for Radware DefensePro logs {pull}19713[19713]
+- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713]
+- Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713]
+- Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713]
 - Add initial support for configurable file identity tracking. {pull}18748[18748]
 
 *Heartbeat*

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -44,6 +44,7 @@ grouped in the following categories:
 * <<exported-fields-kubernetes-processor>>
 * <<exported-fields-log>>
 * <<exported-fields-logstash>>
+* <<exported-fields-microsoft>>
 * <<exported-fields-misp>>
 * <<exported-fields-mongodb>>
 * <<exported-fields-mssql>>
@@ -25739,6 +25740,197 @@ alias to: event.duration
 
 --
 
+[[exported-fields-microsoft]]
+== Microsoft fields
+
+Microsoft Module
+
+
+
+[float]
+=== microsoft
+
+Fields from Microsoft ATP
+
+
+
+[float]
+=== defender_atp
+
+Module for ingesting Microsoft Defender ATP.
+
+
+
+*`microsoft.defender_atp.lastUpdateTime`*::
++
+--
+The date and time (in UTC) the alert was last updated.
+
+
+type: date
+
+--
+
+*`microsoft.defender_atp.resolvedTime`*::
++
+--
+The date and time in which the status of the alert was changed to 'Resolved'.
+
+
+type: date
+
+--
+
+*`microsoft.defender_atp.incidentId`*::
++
+--
+The Incident ID of the Alert.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.investigationId`*::
++
+--
+The Investigation ID related to the Alert.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.investigationState`*::
++
+--
+The current state of the Investigation.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.assignedTo`*::
++
+--
+Owner of the alert.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.status`*::
++
+--
+Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.classification`*::
++
+--
+Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.determination`*::
++
+--
+Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.threatFamilyName`*::
++
+--
+Threat family.
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.rbacGroupName`*::
++
+--
+User group related to the alert
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.evidence.domainName`*::
++
+--
+Domain name related to the alert
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.evidence.ipAddress`*::
++
+--
+IP address involved in the alert
+
+
+type: ip
+
+--
+
+*`microsoft.defender_atp.evidence.aadUserId`*::
++
+--
+ID of the user involved in the alert
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.evidence.accountName`*::
++
+--
+Username of the user involved in the alert
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.evidence.entityType`*::
++
+--
+The type of evidence
+
+
+type: keyword
+
+--
+
+*`microsoft.defender_atp.evidence.userPrincipalName`*::
++
+--
+Principal name of the user involved in the alert
+
+
+type: keyword
+
+--
+
 [[exported-fields-misp]]
 == MISP fields