Skip to content

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation #15603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation #15603

wants to merge 13 commits into from

Conversation

kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Oct 8, 2025
edited
Loading

Proposed commit message

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation

Existing CEL program uses 3 API endpoints to fetch vulnerability
data. Although we fetch more fields using this approach, it doesn't 
scale well and hence is unusable even for few hundred machines.

This PR updates the vulnerability data stream with new 
SoftwareVulnerabilitiesExport API[1], which is recommended for 
larger workloads. While there are few data points missed in this 
new implementation[2], we maintain all the required fields for 
3rd party vulnerability workflow[3].

Other changes:
- Updates microsoft_defender_endpoint min stack version to "8.19.3"
  as the permissions for the transform were actually applied in 
  "8.19.3" version, and not in "8.19.2"[4].
- Add dataset filter to all visualisations of vulnerability dashboards.

[1]: https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities#2-export-software-vulnerabilities-assessment-via-files
[2]: https://github.com/elastic/integrations/issues/15521#issuecomment-3380969284
[3]: https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide
[4]: https://github.com/elastic/elasticsearch/pull/132629

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Verified there are no prebuilt rules effected by this change.
  • Update dashboards to remove references to old fields.
  • Add video for upgrade flow.

How to test this PR locally

Pipeline tests and System tests pass.

--- Test results for package: m365_defender - START ---
╭───────────────┬───────────────┬───────────┬───────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE       │ DATA STREAM   │ TEST TYPE │ TEST NAME                                         │ RESULT │ TIME ELAPSED │
├───────────────┼───────────────┼───────────┼───────────────────────────────────────────────────┼────────┼──────────────┤
│ m365_defender │ vulnerability │ pipeline  │ (ingest pipeline warnings test-vulnerability.log) │ PASS   │ 480.561041ms │
│ m365_defender │ vulnerability │ pipeline  │ test-vulnerability.log                            │ PASS   │  87.309125ms │
╰───────────────┴───────────────┴───────────┴───────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: m365_defender - END   ---
Done

Related issues

Screenshots

Updated dashboards:

m365-defender-vulnerability microsoft_defender_endpoint-vulnerability_overview

Upgrade Flow

mde-vulnerability-3.1-to-3.2-upgrade-flow.mp4

@kcreddy kcreddy mentioned this pull request Oct 8, 2025
Open
@andrewkroh andrewkroh added Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Oct 8, 2025
@kcreddy kcreddy marked this pull request as ready for review October 9, 2025 19:24
@kcreddy kcreddy requested a review from a team as a code owner October 9, 2025 19:24
@kcreddy kcreddy added the Integration:m365_defender Microsoft Defender XDR label Oct 9, 2025
@kcreddy kcreddy self-assigned this Oct 9, 2025
@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Oct 9, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Oct 9, 2025
View reviewed changes
@kcreddy kcreddy requested a review from efd6 October 10, 2025 05:48
efd6
efd6 reviewed Oct 10, 2025
View reviewed changes
packages/m365_defender/changelog.yml
Comment on lines 4 to 11
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
Following fields are no longer available in new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
If there are custom dashboards using these fields, they could be broken.
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
Following fields are no longer available in new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
If there are custom dashboards using these fields, they could be broken.
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
type: enhancement
link: https://github.com/elastic/integrations/pull/15603
- description: |
The following fields are no longer available in the new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 2f1492e

packages/microsoft_defender_endpoint/changelog.yml
Comment on lines 4 to 11
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
Following fields are no longer available in new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
If there are custom dashboards using these fields, they could be broken.
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
Following fields are no longer available in new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
If there are custom dashboards using these fields, they could be broken.
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603
- description: |
Fetch vulnerability data using SoftwareVulnerabilitiesExport API endpoint.
type: enhancement
link: https://github.com/elastic/integrations/pull/15603
- description: |
The following fields are no longer available in the new implementation: "cloud.provider", "cloud.resource_id",
"cloud.instance.id", "host.geo", "host.ip", "host.risk.calculated_level", "related.ip",
"vulnerability.description", "vulnerability.published_date", "vulnerability.score.version".
type: breaking-change
link: https://github.com/elastic/integrations/pull/15603

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 2f1492e

packages/m365_defender/data_stream/vulnerability/_dev/test/system/test-default-config.yml Outdated
data_stream:
vars:
batch_size: 2
sas_valid_hours: 2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sas_valid_hours: 2
sas_valid_hours: 2h

...crosoft_defender_endpoint/data_stream/vulnerability/_dev/test/system/test-default-config.yml Outdated
data_stream:
vars:
batch_size: 2
sas_valid_hours: 2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
sas_valid_hours: 2
sas_valid_hours: 2h

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Updated in 2f1492e

@kcreddy kcreddy requested a review from efd6 October 10, 2025 07:40
@kcreddy kcreddy changed the title {microsoft_defender_endpoint, m365_defender}.vulnerability: Update implementation {microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation Oct 10, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 10, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @kcreddy

brijesh-elastic
brijesh-elastic reviewed Oct 11, 2025
View reviewed changes
packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs
string(vulnerabilityResp.Body)
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET "+ state.url.trim_right("/") + ":" + (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"message": "GET "+ state.url.trim_right("/") + ":" + (
"message": "GET /api/machines/SoftwareVulnerabilitiesExport :" + (

@brijesh-elastic
Copy link
Collaborator

Since there is a change in the transform schema, the fleet_transform_version and destination indices need to be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brijesh-elastic brijesh-elastic brijesh-elastic left review comments

@efd6 efd6 Awaiting requested review from efd6

At least 1 approving review is required to merge this pull request.

Assignees

@kcreddy kcreddy

Labels

breaking change dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:m365_defender Microsoft Defender XDR Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

{microsoft_defender_endpoint, m365_defender}: vulnerability data stream scaling problem

5 participants

@kcreddy @elasticmachine @brijesh-elastic @efd6 @andrewkroh