diff --git a/filebeat/docs/images/filebeat-defender-atp-overview.png b/filebeat/docs/images/filebeat-defender-atp-overview.png new file mode 100644 index 00000000000..7df250e2ae8 Binary files /dev/null and b/filebeat/docs/images/filebeat-defender-atp-overview.png differ diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index 6eb84e847f6..8c9c6e2302c 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -6,6 +6,7 @@ This file is generated! See scripts/docs_collector.py [role="xpack"] :modulename: microsoft +:has-dashboards: true == Microsoft module @@ -14,12 +15,9 @@ This is a module for ingesting data from the different Microsoft Products. Curre - `defender_atp` fileset: Supports Microsoft Defender ATP - `dhcp` fileset: Supports Microsoft DHCP logs -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility +include::../include/what-happens.asciidoc[] -Currently this module supports Microsoft Defender ATP. +include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] @@ -27,6 +25,11 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `defender_atp` fileset settings + +beta[] + To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. The procedure to create an application is found on the below link: @@ -39,12 +42,11 @@ After the application has been created, it should contain 3 values that you need These values are: -Client ID -Client Secret -Tenant ID +- Client ID +- Client Secret +- Tenant ID -[float] -==== `defender_atp` fileset settings +Example config: [source,yaml] ---- @@ -56,8 +58,6 @@ Tenant ID var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" ---- -include::../include/var-paths.asciidoc[] - *`var.oauth2.client.id`*:: This is the client ID related to creating a new application on Azure. @@ -76,7 +76,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always This is a list of Defender ATP fields that are mapped to ECS. [options="header"] -|======================================================================| +|====================================================================== | Defender ATP Fields | ECS Fields | | alertCreationTime | @timestamp | | aadTenantId | cloud.account.id | @@ -102,11 +102,31 @@ This is a list of Defender ATP fields that are mapped to ECS. | relatedUser.domainName | host.user.domain | | title | message | | severity | event.severity | -|======================================================================| +|====================================================================== -== Microsoft module +:has-dashboards!: -experimental[] +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. :fileset_ex: dhcp @@ -117,6 +137,8 @@ experimental[] NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. +include::../include/var-paths.asciidoc[] + *`var.input`*:: The input from which messages are read. One of `file`, `tcp` or `udp`. diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index a0778bf32b6..3e3c651214a 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -1,6 +1,7 @@ [role="xpack"] :modulename: microsoft +:has-dashboards: true == Microsoft module @@ -9,12 +10,9 @@ This is a module for ingesting data from the different Microsoft Products. Curre - `defender_atp` fileset: Supports Microsoft Defender ATP - `dhcp` fileset: Supports Microsoft DHCP logs -include::../include/gs-link.asciidoc[] - -[float] -=== Compatibility +include::../include/what-happens.asciidoc[] -Currently this module supports Microsoft Defender ATP. +include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] @@ -22,6 +20,11 @@ include::../include/configuring-intro.asciidoc[] include::../include/config-option-intro.asciidoc[] +[float] +==== `defender_atp` fileset settings + +beta[] + To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. The procedure to create an application is found on the below link: @@ -34,12 +37,11 @@ After the application has been created, it should contain 3 values that you need These values are: -Client ID -Client Secret -Tenant ID +- Client ID +- Client Secret +- Tenant ID -[float] -==== `defender_atp` fileset settings +Example config: [source,yaml] ---- @@ -51,8 +53,6 @@ Tenant ID var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" ---- -include::../include/var-paths.asciidoc[] - *`var.oauth2.client.id`*:: This is the client ID related to creating a new application on Azure. @@ -71,7 +71,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always This is a list of Defender ATP fields that are mapped to ECS. [options="header"] -|======================================================================| +|====================================================================== | Defender ATP Fields | ECS Fields | | alertCreationTime | @timestamp | | aadTenantId | cloud.account.id | @@ -97,11 +97,31 @@ This is a list of Defender ATP fields that are mapped to ECS. | relatedUser.domainName | host.user.domain | | title | message | | severity | event.severity | -|======================================================================| +|====================================================================== -== Microsoft module +:has-dashboards!: -experimental[] +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. :fileset_ex: dhcp @@ -112,6 +132,8 @@ experimental[] NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. +include::../include/var-paths.asciidoc[] + *`var.input`*:: The input from which messages are read. One of `file`, `tcp` or `udp`. diff --git a/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json new file mode 100644 index 00000000000..1cede27b376 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json @@ -0,0 +1,1221 @@ +{ + "objects": [ + { + "attributes": { + "description": "Microsoft Defender ATP Alert Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "w": 4, + "x": 0, + "y": 0 + }, + "panelIndex": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "panelRefName": "panel_0", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 24, + "i": "74d36139-4d22-44d4-bfc8-020c575febb1", + "w": 25, + "x": 4, + "y": 0 + }, + "panelIndex": "74d36139-4d22-44d4-bfc8-020c575febb1", + "panelRefName": "panel_1", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "ATP Techniques [Filebeat Microsoft]" + }, + "gridData": { + "h": 24, + "i": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "panelRefName": "panel_2", + "title": "ATP Techniques [Filebeat Microsoft]", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "w": 4, + "x": 0, + "y": 6 + }, + "panelIndex": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "panelRefName": "panel_3", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "16e7059b-70a5-4ea4-b622-9015d7430419", + "w": 4, + "x": 0, + "y": 12 + }, + "panelIndex": "16e7059b-70a5-4ea4-b622-9015d7430419", + "panelRefName": "panel_4", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "w": 4, + "x": 0, + "y": 18 + }, + "panelIndex": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "panelRefName": "panel_5", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "cb8de6bb-1096-427d-834e-210963aad3e5", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "cb8de6bb-1096-427d-834e-210963aad3e5", + "panelRefName": "panel_6", + "version": "7.8.1" + } + ], + "timeRestore": false, + "title": "[Filebeat Microsoft] ATP Overview", + "version": 1 + }, + "id": "65402c30-ca6a-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "name": "panel_1", + "type": "lens" + }, + { + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_2", + "type": "lens" + }, + { + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEzLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Counter for new incidents", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "New Incidents", + "field": "microsoft.defender_atp.incidentId" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 1 + }, + { + "from": 1, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzYsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"event.severity\\\",\\\"orderBy\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":6,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"24h\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"cardinality\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-19ade524-0042-4ecd-ac59-9696c8c2e225\\\":{\\\"label\\\":\\\"Top values of event.severity\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"event.severity\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":6,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\"},\\\"col-2-677e5501-ca31-435c-8eab-38b5297e54c2\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"24h\\\"},\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\"},\\\"col-3-27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":{\\\"label\\\":\\\"Number of incidents\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"cardinality\\\",\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"isBucketed\\\":false,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"number\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"}}\" | lens_format_column format=\"number\" columnId=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Number of incidents\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} \n layers={lens_xy_layer layerId=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" hide=false xAccessor=\"677e5501-ca31-435c-8eab-38b5297e54c2\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"19ade524-0042-4ecd-ac59-9696c8c2e225\" seriesType=\"line\" accessors=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" columnToLabel=\"{\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":\\\"Number of incidents\\\",\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\":\\\"Top values of event.severity\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { + "columnOrder": [ + "19ade524-0042-4ecd-ac59-9696c8c2e225", + "677e5501-ca31-435c-8eab-38b5297e54c2", + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "columns": { + "19ade524-0042-4ecd-ac59-9696c8c2e225": { + "dataType": "number", + "isBucketed": true, + "label": "Top values of event.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", + "type": "column" + }, + "orderDirection": "desc", + "size": 6 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "27212c7c-83ee-4292-a4c6-396d9b77dce6": { + "dataType": "number", + "isBucketed": false, + "label": "Number of incidents", + "operationType": "cardinality", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft.defender_atp.incidentId" + }, + "677e5501-ca31-435c-8eab-38b5297e54c2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "24h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", + "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "ATP New Incidents [Filebeat Microsoft]", + "visualizationType": "lnsXY" + }, + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzcsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"f93e2634-0dd5-4aec-b6de-45284dd39630\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"threat.technique.name\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"count\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{}}]\" | lens_rename_columns idMap=\"{\\\"col-0-12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\":{\\\"label\\\":\\\"Related MITRE attach techniques\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"threat.technique.name\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\"},\\\"col-1-0f67be87-cc6f-48e7-8afd-d9401037d006\\\":{\\\"label\\\":\\\"Number of techniques\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"count\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"Records\\\",\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\"}}\"}\n| lens_pie shape=\"treemap\" hideLabels=false groups=\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\" metric=\"0f67be87-cc6f-48e7-8afd-d9401037d006\" numberDisplay=\"percent\" categoryDisplay=\"default\" legendDisplay=\"default\" percentDecimals=3 nestedLegend=false", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "f93e2634-0dd5-4aec-b6de-45284dd39630": { + "columnOrder": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", + "0f67be87-cc6f-48e7-8afd-d9401037d006" + ], + "columns": { + "0f67be87-cc6f-48e7-8afd-d9401037d006": { + "dataType": "number", + "isBucketed": false, + "label": "Number of techniques", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { + "dataType": "string", + "isBucketed": true, + "label": "Related MITRE attach techniques", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.name" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" + ], + "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", + "legendDisplay": "default", + "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "ATP Techniques [Filebeat Microsoft]", + "visualizationType": "lnsPie" + }, + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzgsMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related domains", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Domains", + "field": "microsoft.defender_atp.evidence.domainName" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzksMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related IP Addresses", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Networks", + "field": "microsoft.defender_atp.evidence.ipAddress" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEwLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related Users", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Users", + "field": "host.user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzExLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Incident Table", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Incident ID", + "field": "microsoft.defender_atp.incidentId", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Current Status", + "field": "microsoft.defender_atp.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Assigned To", + "field": "microsoft.defender_atp.assignedTo", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "9", + "params": { + "customLabel": "Severity", + "field": "event.severity", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Hostname", + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Title", + "field": "event.test.message", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "aggregate": "concat", + "field": "@timestamp", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "10", + "params": { + "customLabel": "Category", + "field": "threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "row": true, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "type": "table" + } + }, + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEyLDFd" + } + ], + "version": "7.8.0" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/module.yml b/x-pack/filebeat/module/microsoft/module.yml index ed97d539c09..991a3a8d25c 100644 --- a/x-pack/filebeat/module/microsoft/module.yml +++ b/x-pack/filebeat/module/microsoft/module.yml @@ -1 +1,3 @@ ---- +dashboards: +- id: 65402c30-ca6a-11ea-9d4d-9737a63aaa55 + file: Filebeat-microsoft-atp-overview.json \ No newline at end of file