Hello Team
I am looking for some insights on fetching windwos defender logs via filebeat (o365 module)
Currently the o365 config (yml) lists these:
# are retrieved:
var.content_type:
- "Audit.AzureActiveDirectory"
- "Audit.Exchange"
- "Audit.SharePoint"
- "Audit.General"
- "DLP.All"
How can we get windows defender logs (is this going to be a new category? etc) ?
Hi @sriramb12,
To ingest Defender events, I'd recommend our Defender for Endpoint integration. It requires Elastic Agent, so you'll need to spin up an Agent to ingest the events. We also have an M365 Defender integration if that's of interest too.
Hello Jamie
thanks so much! It helped to an extent, that I can ask next question. Currently I am using 0365.yml (within modules.d) to fetch Azure AD logs. I have set up the windows defender app within Azure tenant (portal) . So is there a different filebeat module I need to add this applicationID /secret details?
Currently the Azure AD logs are fetched using filebeat and the config looks like this:
/etc/filebeat/modules.d/o365.yml
sudo cat o365.yml | grep -v "#"
- module: o365
audit:
enabled: true
var.application_id: "xxxx-xx-xx-8xxx-xxxxxxx"
var.tenants:
- id: "xx-xx-xx-xx-xxxxx"
name: "xxxxx.onmicrosoft.com"
var.client_secret: "IXv8Q~xxxxxx.ZMbSD"
var.content_type:
- "Audit.AzureActiveDirectory"
- "Audit.Exchange"
- "Audit.SharePoint"
- "Audit.General"
- "DLP.All"
The question is, do I need to run another module for dealing with windoes defender logs?
If so, do I need to upgrade the filebeat (currently running 8.2.3) ? etc
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.