Can filebeat's o365 module fetch windows defender logs

Hello Team
I am looking for some insights on fetching windwos defender logs via filebeat (o365 module)
Currently the o365 config (yml) lists these:

List of content-types to fetch. By default all known content-types

# are retrieved:
var.content_type:
  - "Audit.AzureActiveDirectory"
  - "Audit.Exchange"
  - "Audit.SharePoint"
  - "Audit.General"
  - "DLP.All"

How can we get windows defender logs (is this going to be a new category? etc) ?

Hi @sriramb12,

To ingest Defender events, I'd recommend our Defender for Endpoint integration. It requires Elastic Agent, so you'll need to spin up an Agent to ingest the events. We also have an M365 Defender integration if that's of interest too.

1 Like

Hello Jamie
thanks so much! It helped to an extent, that I can ask next question. Currently I am using 0365.yml (within modules.d) to fetch Azure AD logs. I have set up the windows defender app within Azure tenant (portal) . So is there a different filebeat module I need to add this applicationID /secret details?
Currently the Azure AD logs are fetched using filebeat and the config looks like this:

/etc/filebeat/modules.d/o365.yml
sudo cat o365.yml | grep -v "#"

- module: o365
  audit:
    enabled: true

    var.application_id: "xxxx-xx-xx-8xxx-xxxxxxx"

    var.tenants:
     - id: "xx-xx-xx-xx-xxxxx"
       name: "xxxxx.onmicrosoft.com"
    var.client_secret: "IXv8Q~xxxxxx.ZMbSD"
                        

    var.content_type:
      - "Audit.AzureActiveDirectory"
      - "Audit.Exchange"
      - "Audit.SharePoint"
      - "Audit.General"
      - "DLP.All"

The question is, do I need to run another module for dealing with windoes defender logs?
If so, do I need to upgrade the filebeat (currently running 8.2.3) ? etc

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.