Microsoft Defender for Cloud

edit

Microsoft Defender for Cloud

edit

Version

2.2.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

The Microsoft Defender for Cloud integration allows you to monitor security alert events. When integrated with Elastic Security, this valuable data can be leveraged within Elastic for analyzing the resources and services that users are protecting through Microsoft Defender.

Use the Microsoft Defender for Cloud integration to collect and parse data from Azure Event Hub and then visualize that data in Kibana.

Data streams

edit

The Microsoft Defender for Cloud integration collects one type of data: event.

Event allows users to preserve a record of security events that occurred on the subscription, which includes real-time events that affect the security of the user’s environment. For further information connected to security alerts and type, Refer to the page here.

Prerequisites

edit

To get started with Defender for Cloud, user must have a subscription to Microsoft Azure.

Requirements

edit
  • Elastic Agent must be installed.
  • You can install only one Elastic Agent per host.
  • Elastic Agent is required to stream data from the Azure Event Hub and ship the data to Elastic, where the events will then be processed via the integration’s ingest pipelines.
Installing and managing an Elastic Agent:
edit

You have a few options for installing and managing an Elastic Agent:

Install a Fleet-managed Elastic Agent (recommended):
edit

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

Install Elastic Agent in standalone mode (advanced users):
edit

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

Install Elastic Agent in a containerized environment:
edit

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version required is 8.3.0.

Setup

edit
To collect data from Microsoft Azure Event Hub, follow the below steps:
edit
  • Configure the Microsoft Defender for Cloud on Azure subscription. For more detail, refer to the link here.
Enabling the integration in Elastic:
edit
  1. In Kibana, go to Management > Integrations.
  2. In the "Search for integrations" search bar, type Microsoft Defender for Cloud.
  3. Click on the "Microsoft Defender for Cloud" integration from the search results.
  4. Click on the Add Microsoft Defender for Cloud Integration button to add the integration.
  5. While adding the integration, if you want to collect logs via Azure Event Hub, then you have to put the following details:

    • eventhub
    • consumer_group
    • connection_string
    • storage_account
    • storage_account_key
    • storage_account_container (optional)
    • resource_manager_endpoint (optional)

Logs reference

edit
Event
edit

This is the Event dataset.

Exported fields
Field Description Type

@timestamp

Event timestamp.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

input.type

Type of Filebeat input.

keyword

log.offset

Log offset.

long

microsoft_defender_cloud.event.agent_id

keyword

microsoft_defender_cloud.event.alert_type

Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType).

keyword

microsoft_defender_cloud.event.assessment_event_data_enrichment.action

keyword

microsoft_defender_cloud.event.assessment_event_data_enrichment.api_version

keyword

microsoft_defender_cloud.event.assessment_event_data_enrichment.is_snapshot

boolean

microsoft_defender_cloud.event.azure_resource_id

keyword

microsoft_defender_cloud.event.compromised_entity

The display name of the resource most related to this alert.

keyword

microsoft_defender_cloud.event.confidence.level

keyword

microsoft_defender_cloud.event.confidence.reasons

keyword

microsoft_defender_cloud.event.confidence.score

keyword

microsoft_defender_cloud.event.correlation_key

Key for corelating related alerts. Alerts with the same correlation key considered to be related.

keyword

microsoft_defender_cloud.event.description

Description of the suspicious activity that was detected.

keyword

microsoft_defender_cloud.event.display_name

The display name of the alert.

keyword

microsoft_defender_cloud.event.end_time_utc

The UTC time of the last event or activity included in the alert in ISO8601 format.

date

microsoft_defender_cloud.event.entities.aad_tenant_id

keyword

microsoft_defender_cloud.event.entities.aad_user_id

keyword

microsoft_defender_cloud.event.entities.account.ref

keyword

microsoft_defender_cloud.event.entities.address

ip

microsoft_defender_cloud.event.entities.algorithm

keyword

microsoft_defender_cloud.event.entities.amazon_resource_id

keyword

microsoft_defender_cloud.event.entities.asset

boolean

microsoft_defender_cloud.event.entities.azure_id

keyword

microsoft_defender_cloud.event.entities.blob_container.ref

keyword

microsoft_defender_cloud.event.entities.category

keyword

microsoft_defender_cloud.event.entities.cloud_resource.ref

keyword

microsoft_defender_cloud.event.entities.cluster.ref

keyword

microsoft_defender_cloud.event.entities.command_line

keyword

microsoft_defender_cloud.event.entities.container_id

keyword

microsoft_defender_cloud.event.entities.creation_time_utc

date

microsoft_defender_cloud.event.entities.directory

keyword

microsoft_defender_cloud.event.entities.dns_domain

keyword

microsoft_defender_cloud.event.entities.domain_name

keyword

microsoft_defender_cloud.event.entities.elevation_token

keyword

microsoft_defender_cloud.event.entities.end_time_utc

date

microsoft_defender_cloud.event.entities.etag

keyword

microsoft_defender_cloud.event.entities.file_hashes.algorithm

keyword

microsoft_defender_cloud.event.entities.file_hashes.asset

boolean

microsoft_defender_cloud.event.entities.file_hashes.id

keyword

microsoft_defender_cloud.event.entities.file_hashes.ref

keyword

microsoft_defender_cloud.event.entities.file_hashes.type

keyword

microsoft_defender_cloud.event.entities.file_hashes.value

keyword

microsoft_defender_cloud.event.entities.files.ref

keyword

microsoft_defender_cloud.event.entities.host.ref

keyword

microsoft_defender_cloud.event.entities.host_ip_address.ref

keyword

microsoft_defender_cloud.event.entities.host_name

keyword

microsoft_defender_cloud.event.entities.id

keyword

microsoft_defender_cloud.event.entities.image.ref

keyword

microsoft_defender_cloud.event.entities.image_file.ref

keyword

microsoft_defender_cloud.event.entities.image_id

keyword

microsoft_defender_cloud.event.entities.ip_addresses.address

ip

microsoft_defender_cloud.event.entities.ip_addresses.asset

boolean

microsoft_defender_cloud.event.entities.ip_addresses.id

keyword

microsoft_defender_cloud.event.entities.ip_addresses.location.asn

long

microsoft_defender_cloud.event.entities.ip_addresses.location.city

keyword

microsoft_defender_cloud.event.entities.ip_addresses.location.country_code

keyword

microsoft_defender_cloud.event.entities.ip_addresses.location.country_name

keyword

microsoft_defender_cloud.event.entities.ip_addresses.location.latitude

double

microsoft_defender_cloud.event.entities.ip_addresses.location.longitude

double

microsoft_defender_cloud.event.entities.ip_addresses.location.state

keyword

microsoft_defender_cloud.event.entities.ip_addresses.type

keyword

microsoft_defender_cloud.event.entities.is_domain_joined

boolean

microsoft_defender_cloud.event.entities.is_valid

boolean

microsoft_defender_cloud.event.entities.location.asn

long

microsoft_defender_cloud.event.entities.location.carrier

keyword

microsoft_defender_cloud.event.entities.location.city

keyword

microsoft_defender_cloud.event.entities.location.cloud_provider

keyword

microsoft_defender_cloud.event.entities.location.country_code

keyword

microsoft_defender_cloud.event.entities.location.country_name

keyword

microsoft_defender_cloud.event.entities.location.latitude

double

microsoft_defender_cloud.event.entities.location.longitude

double

microsoft_defender_cloud.event.entities.location.organization

keyword

microsoft_defender_cloud.event.entities.location.organization_type

keyword

microsoft_defender_cloud.event.entities.location.state

keyword

microsoft_defender_cloud.event.entities.location.system_service

keyword

microsoft_defender_cloud.event.entities.location_type

keyword

microsoft_defender_cloud.event.entities.location_value

keyword

microsoft_defender_cloud.event.entities.logon_id

keyword

microsoft_defender_cloud.event.entities.name

keyword

microsoft_defender_cloud.event.entities.namespace.ref

keyword

microsoft_defender_cloud.event.entities.net_bios_name

keyword

microsoft_defender_cloud.event.entities.nt_domain

keyword

microsoft_defender_cloud.event.entities.object_guid

keyword

microsoft_defender_cloud.event.entities.oms_agent_id

keyword

microsoft_defender_cloud.event.entities.os_family

keyword

microsoft_defender_cloud.event.entities.os_version

keyword

microsoft_defender_cloud.event.entities.parent_process.ref

keyword

microsoft_defender_cloud.event.entities.pod.ref

keyword

microsoft_defender_cloud.event.entities.process_id

keyword

microsoft_defender_cloud.event.entities.project_id

keyword

microsoft_defender_cloud.event.entities.protocol

keyword

microsoft_defender_cloud.event.entities.ref

keyword

microsoft_defender_cloud.event.entities.related_azure_resource_ids

keyword

microsoft_defender_cloud.event.entities.resource_id

keyword

microsoft_defender_cloud.event.entities.resource_name

keyword

microsoft_defender_cloud.event.entities.resource_type

keyword

microsoft_defender_cloud.event.entities.session_id

keyword

microsoft_defender_cloud.event.entities.sid

keyword

microsoft_defender_cloud.event.entities.source_address.ref

keyword

microsoft_defender_cloud.event.entities.start_time_utc

date

microsoft_defender_cloud.event.entities.storage_resource.ref

keyword

microsoft_defender_cloud.event.entities.threat_intelligence.confidence

double

microsoft_defender_cloud.event.entities.threat_intelligence.description

keyword

microsoft_defender_cloud.event.entities.threat_intelligence.name

keyword

microsoft_defender_cloud.event.entities.threat_intelligence.provider_name

keyword

microsoft_defender_cloud.event.entities.threat_intelligence.report_link

keyword

microsoft_defender_cloud.event.entities.threat_intelligence.type

keyword

microsoft_defender_cloud.event.entities.type

keyword

microsoft_defender_cloud.event.entities.upn_suffix

keyword

microsoft_defender_cloud.event.entities.url

keyword

microsoft_defender_cloud.event.entities.value

keyword

microsoft_defender_cloud.event.event_type

keyword

microsoft_defender_cloud.event.extended_links.category

Links related to the alert

keyword

microsoft_defender_cloud.event.extended_links.href

keyword

microsoft_defender_cloud.event.extended_links.label

keyword

microsoft_defender_cloud.event.extended_links.type

keyword

microsoft_defender_cloud.event.extended_properties

Custom properties for the alert.

flattened

microsoft_defender_cloud.event.id

Resource Id.

keyword

microsoft_defender_cloud.event.intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center’s supported kill chain intents.

keyword

microsoft_defender_cloud.event.is_incident

This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert.

boolean

microsoft_defender_cloud.event.kind

keyword

microsoft_defender_cloud.event.location

keyword

microsoft_defender_cloud.event.name

Resource name.

keyword

microsoft_defender_cloud.event.processing_end_time

The UTC processing end time of the alert in ISO8601 format.

date

microsoft_defender_cloud.event.product.name

The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on).

keyword

microsoft_defender_cloud.event.properties.additional_data

flattened

microsoft_defender_cloud.event.properties.assessment.definitions

keyword

microsoft_defender_cloud.event.properties.assessment.details_link

keyword

microsoft_defender_cloud.event.properties.assessment.type

keyword

microsoft_defender_cloud.event.properties.category

keyword

microsoft_defender_cloud.event.properties.definition.display_name

keyword

microsoft_defender_cloud.event.properties.definition.id

keyword

microsoft_defender_cloud.event.properties.definition.max_score

long

microsoft_defender_cloud.event.properties.definition.name

keyword

microsoft_defender_cloud.event.properties.definition.source_type

keyword

microsoft_defender_cloud.event.properties.definition.type

keyword

microsoft_defender_cloud.event.properties.description

keyword

microsoft_defender_cloud.event.properties.display_name

keyword

microsoft_defender_cloud.event.properties.environment

keyword

microsoft_defender_cloud.event.properties.failed_resources

long

microsoft_defender_cloud.event.properties.healthy_resource_count

long

microsoft_defender_cloud.event.properties.id

keyword

microsoft_defender_cloud.event.properties.impact

keyword

microsoft_defender_cloud.event.properties.links.azure_portal

keyword

microsoft_defender_cloud.event.properties.metadata.assessment_type

keyword

microsoft_defender_cloud.event.properties.metadata.categories

keyword

microsoft_defender_cloud.event.properties.metadata.description

keyword

microsoft_defender_cloud.event.properties.metadata.display_name

keyword

microsoft_defender_cloud.event.properties.metadata.implementation_effort

keyword

microsoft_defender_cloud.event.properties.metadata.policy_definition_id

keyword

microsoft_defender_cloud.event.properties.metadata.preview

boolean

microsoft_defender_cloud.event.properties.metadata.remediation_description

keyword

microsoft_defender_cloud.event.properties.metadata.severity

keyword

microsoft_defender_cloud.event.properties.metadata.threats

keyword

microsoft_defender_cloud.event.properties.metadata.user_impact

keyword

microsoft_defender_cloud.event.properties.not_applicable_resource_count

long

microsoft_defender_cloud.event.properties.passed_resources

long

microsoft_defender_cloud.event.properties.remediation

keyword

microsoft_defender_cloud.event.properties.resource_details.id

keyword

microsoft_defender_cloud.event.properties.resource_details.machine_name

keyword

microsoft_defender_cloud.event.properties.resource_details.source

keyword

microsoft_defender_cloud.event.properties.resource_details.source_computer_id

keyword

microsoft_defender_cloud.event.properties.resource_details.type

keyword

microsoft_defender_cloud.event.properties.resource_details.vm_uuid

keyword

microsoft_defender_cloud.event.properties.resource_details.workspace_id

keyword

microsoft_defender_cloud.event.properties.score.current

double

microsoft_defender_cloud.event.properties.score.max

long

microsoft_defender_cloud.event.properties.score.percentage

double

microsoft_defender_cloud.event.properties.skipped_resources

long

microsoft_defender_cloud.event.properties.state

keyword

microsoft_defender_cloud.event.properties.status.cause

keyword

microsoft_defender_cloud.event.properties.status.code

keyword

microsoft_defender_cloud.event.properties.status.description

keyword

microsoft_defender_cloud.event.properties.status.first_evaluation_date

date

microsoft_defender_cloud.event.properties.status.severity

keyword

microsoft_defender_cloud.event.properties.status.status_change_date

date

microsoft_defender_cloud.event.properties.status.type

keyword

microsoft_defender_cloud.event.properties.time_generated

date

microsoft_defender_cloud.event.properties.type

keyword

microsoft_defender_cloud.event.properties.unhealthy_resource_count

long

microsoft_defender_cloud.event.properties.weight

long

microsoft_defender_cloud.event.provider_alert_status

keyword

microsoft_defender_cloud.event.remediation_steps

Manual action items to take to remediate the alert.

keyword

microsoft_defender_cloud.event.resource_identifiers.aad_tenant_id

keyword

microsoft_defender_cloud.event.resource_identifiers.agent_id

(optional) The LogAnalytics agent id reporting the event that this alert is based on.

keyword

microsoft_defender_cloud.event.resource_identifiers.azure_id

ARM resource identifier for the cloud resource being alerted on

keyword

microsoft_defender_cloud.event.resource_identifiers.azure_tenant_id

keyword

microsoft_defender_cloud.event.resource_identifiers.id

The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.

keyword

microsoft_defender_cloud.event.resource_identifiers.type

There can be multiple identifiers of different type per alert, this field specify the identifier type.

keyword

microsoft_defender_cloud.event.resource_identifiers.workspace_id

The LogAnalytics workspace id that stores this alert.

keyword

microsoft_defender_cloud.event.resource_identifiers.workspace_resource_group

The azure resource group for the LogAnalytics workspace storing this alert

keyword

microsoft_defender_cloud.event.resource_identifiers.workspace_subscription_id

The azure subscription id for the LogAnalytics workspace storing this alert.

keyword

microsoft_defender_cloud.event.security_event_data_enrichment.action

keyword

microsoft_defender_cloud.event.security_event_data_enrichment.api_version

keyword

microsoft_defender_cloud.event.security_event_data_enrichment.interval

keyword

microsoft_defender_cloud.event.security_event_data_enrichment.is_snapshot

boolean

microsoft_defender_cloud.event.security_event_data_enrichment.type

keyword

microsoft_defender_cloud.event.severity

The risk level of the threat that was detected.

keyword

microsoft_defender_cloud.event.start_time_utc

The UTC time of the first event or activity included in the alert in ISO8601 format.

date

microsoft_defender_cloud.event.status

The life cycle status of the alert.

keyword

microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.action

keyword

microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.api_version

keyword

microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.is_snapshot

boolean

microsoft_defender_cloud.event.sub_assessment_event.data_enrichment.type

keyword

microsoft_defender_cloud.event.system.alert_id

Unique identifier for the alert.

keyword

microsoft_defender_cloud.event.tags

keyword

microsoft_defender_cloud.event.tenant_id

keyword

microsoft_defender_cloud.event.time_generated

The UTC time the alert was generated in ISO8601 format.

date

microsoft_defender_cloud.event.type

Resource type.

keyword

microsoft_defender_cloud.event.uri

A direct link to the alert page in Azure Portal.

keyword

microsoft_defender_cloud.event.vendor_name

The name of the vendor that raises the alert.

keyword

microsoft_defender_cloud.event.workspace.id

keyword

microsoft_defender_cloud.event.workspace.resource_group

keyword

microsoft_defender_cloud.event.workspace.subscription_id

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

2.2.0

Enhancement (View pull request)
Do not remove event.original in main ingest pipeline.

8.13.0 or higher

2.1.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

8.13.0 or higher

2.0.0

Enhancement (View pull request)
Store eventhub metadata inside azure-eventhub field.

8.13.0 or higher

1.2.0

Enhancement (View pull request)
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.1.2

Bug fix (View pull request)
Fix name canonicalization routines.

8.12.0 or higher

1.1.1

Enhancement (View pull request)
Add cloudsecurity_cdr sub category label

8.12.0 or higher

1.1.0

Enhancement (View pull request)
Set sensitive values as secret and add missing mappings.

8.12.0 or higher

1.0.1

Enhancement (View pull request)
Changed owners

8.3.0 or higher

1.0.0

Enhancement (View pull request)
Release package as GA.

8.3.0 or higher

0.7.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

0.6.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

0.5.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

0.4.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

0.3.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

0.2.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

0.1.0

Enhancement (View pull request)
Initial release.