Migrate m365_defender to httpjson v2

elastic · Dec 10, 2020 · 597a5da · 597a5da
1 parent 9d06245
commit 597a5da
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 17 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -754,6 +754,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `network.direction` to auditd/log fileset. {pull}23041[23041]
 - Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805]
 - Migrate microsoft/defender_atp to httpjson v2 config {pull}23017[23017]
+- Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
@@ -1,23 +1,37 @@
 {{ if eq .input "httpjson" }}
 
 type: httpjson
-http_method: GET
+config_version: "2"
+
 interval: {{ .interval }}
-json_objects_array: value
-split_events_by: alerts..entities
-url: {{ .url }}
-
-oauth2: {{ .oauth2 | tojson }}
-oauth2.provider: azure
-oauth2.azure.resource: https://api.security.microsoft.com
-http_headers:
- User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0
-date_cursor.field: lastUpdateTime
-date_cursor.url_field: '$filter'
-date_cursor.value_template: 'lastUpdateTime gt {{.}}'
-date_cursor.initial_interval: 55m
-date_cursor.date_format: '2006-01-02T15:04:05.9999999Z'
 
+auth.oauth2: {{ .oauth2 | tojson }}
+auth.oauth2.provider: azure
+auth.oauth2.azure.resource: https://api.securitycenter.windows.com/
+
+request.url: "https://api.security.microsoft.com/api/incidents"
+request.method: GET
+request.transforms:
+ - set:
+ target: "header.User-Agent"
+ value: "MdatpPartner-Elastic-Filebeat/1.0.0"
+ - set:
+ target: "url.params.$filter"
+ value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
+ default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-55m")) "2006-01-02T15:04:05.9999999Z"]]'
+
+response.split:
+ target: body.value
+ split:
+ target: body.alerts
+ keep_parent: true
+ split:
+ target: body.alerts.entities
+ keep_parent: true
+
+cursor:
+ lastUpdateTime:
+ value: "[[.last_response.body.lastUpdateTime]]"
 
 {{ else if eq .input "file" }}
 

diff --git a/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml b/x-pack/filebeat/module/microsoft/m365_defender/manifest.yml
@@ -7,8 +7,6 @@ var:
  default: 5m
  - name: tags
  default: [m365-defender, forwarded]
- - name: url
- default: "https://api.security.microsoft.com/api/incidents"
  - name: oauth2
 
 ingest_pipeline: ingest/pipeline.yml