To ingest Defender events, I'd recommend our Defender for Endpoint integration. It requires Elastic Agent, so you'll need to spin up an Agent to ingest the events. We also have an M365 Defender integration if that's of interest too.
Hello Jamie
thanks so much! It helped to an extent, that I can ask next question. Currently I am using 0365.yml (within modules.d) to fetch Azure AD logs. I have set up the windows defender app within Azure tenant (portal) . So is there a different filebeat module I need to add this applicationID /secret details?
Currently the Azure AD logs are fetched using filebeat and the config looks like this:
The question is, do I need to run another module for dealing with windoes defender logs?
If so, do I need to upgrade the filebeat (currently running 8.2.3) ? etc
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.