{m365_defender,microsoft_defender_endpoint}: Add mapping and transform for CDR workflows #14809
Conversation
🚀 Benchmarks reportTo see the full report comment with |
andrewkroh
added
Integration:m365_defender
kcreddy
added
the
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
@maxcold, for microsoft_defender_endpoint integration, I had to shorten the transform name as latest_cdr_vuln because if not, the system tests would throw an error during package installation:
Error: failed to setup system runner: can't install the package: there was an apply error: installation failed: can't install the package: could not zip-install package; API status code = 500; response body = {"statusCode":500,"error":"Internal Server Error","message":"action_request_validation_exception\n\tRoot causes:\n\t\taction_request_validation_exception: Validation Failed: 1: The id cannot contain more than 64 characters.;"}
Its coming from Kibana (logs below):
2025-08-05 19:18:07 [2025-08-05T13:48:07.229+00:00][WARN ][plugins.fleet] Error during execution of state "install_transforms" with status "failed": action_request_validation_exception
2025-08-05 19:18:07 Root causes:
2025-08-05 19:18:07 action_request_validation_exception: Validation Failed: 1: The id cannot contain more than 64 characters.;
2025-08-05 19:18:07 [2025-08-05T13:48:07.246+00:00][DEBUG][plugins.fleet] Created transform: logs-microsoft_defender_endpoint.latest_action-default-1.0.0
2025-08-05 19:18:07 [2025-08-05T13:48:07.311+00:00][DEBUG][plugins.fleet] Started transform: logs-microsoft_defender_endpoint.latest_action-default-1.0.0
2025-08-05 19:18:08 [2025-08-05T13:48:08.138+00:00][WARN ][plugins.fleet] Failure to install package [microsoft_defender_endpoint]: [ResponseError: action_request_validation_exception
2025-08-05 19:18:08 Root causes:
2025-08-05 19:18:08 action_request_validation_exception: Validation Failed: 1: The id cannot contain more than 64 characters.;]
2025-08-05 19:18:09 [2025-08-05T13:48:09.163+00:00][ERROR][plugins.fleet] Uninstalling microsoft_defender_endpoint-3.0.0 after error installing: [ResponseError: action_request_validation_exception
2025-08-05 19:18:09 Root causes:
2025-08-05 19:18:09 action_request_validation_exception: Validation Failed: 1: The id cannot contain more than 64 characters.;] with install type: install
Hope the shortened name is okay.
packages/m365_defender/manifest.yml
Outdated
| @@ -11,7 +11,7 @@ conditions: | |||
| elastic: | |||
| subscription: basic | |||
| kibana: | |||
| version: "^8.18.0 || ^9.0.0" | |||
| version: "^8.19.0 || ^9.1.0" | |||
There was a problem hiding this comment.
Currently both integrations are not added to permissions list in Elasticsearch.
I created the PR: elastic/elasticsearch#132445 to add them. Once approved and backported, I will update these versions accordingly. Until then the system tests will fail because of permissions error inside transform.
cc: @maxcold
There was a problem hiding this comment.
I added run_as_kibana_system: false for now to test. Will send you the credentials for testing.
|
| field: event.id | ||
| tag: set_event_id_from_microsoft_defender_endpoint_vulnerability_affected_machine_id | ||
| value: '{{{microsoft_defender_endpoint.vulnerability.affected_machine.id}}}-{{{_ingest.timestamp}}}' | ||
| if: ctx.microsoft_defender_endpoint?.vulnerability?.affected_machine?.id != null | ||
| copy_from: microsoft_defender_endpoint.vulnerability.affected_machine.id | ||
| ignore_empty_value: true |
There was a problem hiding this comment.
Seems odd to set the vulnerability event ID to the affected machine ID.
I see it's set to a vulnerability ID below so I guess this is just the fallback.
There was a problem hiding this comment.
Actually, this field indicates a finding id of sorts, example: 86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-.
It includes machineId, vulnerabilityId, packageName, packageVersion, etc.
https://github.com/elastic/integrations/blob/main/packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json#L60.
| tag: grok_to_extract_vulnerability_score_version | ||
| patterns: | ||
| - '^CVSS:%{DATA:vulnerability.score.version}/%{GREEDYDATA}$' | ||
| - '^%{GREEDYDATA}$' |
There was a problem hiding this comment.
With the 2nd pattern, won't it match and ignore any string that didn't match the first?
If that's intentional, maybe it can get if: ctx.microsoft_defender_endpoint?.vulnerability?.cvss_vector instanceof String and avoid the on_failure.
There was a problem hiding this comment.
Similar comment, as for m365_defender. Also time complexity of the first pattern can be reduced.
| - set: | ||
| field: vulnerability.cve | ||
| tag: set_vulnerability_cve_from_vulnerability_id | ||
| copy_from: microsoft_defender_endpoint.vulnerability.id | ||
| ignore_empty_value: true | ||
| if: ctx.vulnerability?.id != null && ctx.vulnerability.id.toUpperCase().contains('CVE') == true | ||
| - set: | ||
| field: event.id | ||
| tag: set_event_id_from_vulnerability_id | ||
| value: '{{{vulnerability.id}}}-{{{_ingest.timestamp}}}' | ||
| if: ctx.event?.id == null && ctx.vulnerability?.id != null | ||
| copy_from: microsoft_defender_endpoint.vulnerability.id | ||
| ignore_empty_value: true | ||
| if: ctx.event?.id == null |
There was a problem hiding this comment.
If the vulnerability ID is a CVE, I guess we may get many events with the same vulnerability ID.
What's the intention with removing the timestamp from event.id?
There was a problem hiding this comment.
This is clarified with Cloud team, whether we really want uniqueness (on source indices) for this field, and it seems that we don't. Essentially the idea for this field is that we don't need to append timestamp as the same finding should have the same id over time.
There was a problem hiding this comment.
The field mapping files in the transform that match what's in the data stream can removed by using the new elastic-package links functionality.
In case a file currently has both common and unique content, it'd be good to split that file.
There was a problem hiding this comment.
The full links documentation: https://github.com/elastic/elastic-package/blob/main/docs/howto/links.md
There was a problem hiding this comment.
I tested this today and this links feature doesn't seem to be working as expected for me.
Here is the commit that I tested against.
When I build the integration using elastic-package build and check the build folder, the linked files are actually generated inside package root directory.
I checked the mappings in Kibana as well. All the linked mappings are missing. Only explicitly defined mapping exists.
Also, the transform produced an error which also indicates the mapping doesn't work.
packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/m365_defender/data_stream/vulnerability/fields/base-fields.yml
Outdated
Show resolved
Hide resolved
packages/m365_defender/data_stream/vulnerability/fields/ecs.yml
Outdated
Show resolved
Hide resolved
packages/m365_defender/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml
Outdated
Show resolved
Hide resolved
packages/microsoft_defender_endpoint/data_stream/vulnerability/fields/ecs.yml
Outdated
Show resolved
Hide resolved
packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/ecs.yml
Outdated
Show resolved
Hide resolved
packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/package.yml
Outdated
Show resolved
Hide resolved
...ages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/resource.yml
Outdated
Show resolved
Hide resolved
...microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/vulnerability.yml
Outdated
Show resolved
Hide resolved
💔 Build Failed
Failed CI StepsHistory
cc @kcreddy |
|
CI seems to be having problems with docker; I've been seeing problems in beats too. |
Actually I thought it was because images for |
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Run pipeline tests:
m365_defender:microsoft_defender_endpoint:Run system tests:
m365_defender:microsoft_defender_endpoint:Related issues
Screenshots