Filebeat: Microsoft Module seems to be acquiring the same events for a period of time

Elastic Stack Beats
1

I am testing the Filebeat Microsoft Module using the eicar test files from Download Anti Malware Testfile – Eicar.
I download one of the files. Then, Windows Defender AV "prevents" the infection (and generates events from Windows Defender AV). After waiting approximately 5 minutes, the intervals configured for the Microsoft module to pole for events, Kibana will have approximately 6 events per eicar test file that was downloaded/detected. Then, going forward, there will no longer be additional events associated with this activity. So it seems-like, to a degree (because it's not continuous), the Microsoft module is not aware of events it previously acquired. I have tested the polling interval using 2 minutes and 5 minutes. It does not seem to matter. We still get multiple events.

The Input URLs for the Microsoft Module are:

https://api.securitycenter.windows.com/api/alerts
https://api.security.microsoft.com/api/incidents

Could someone please explain what could be going on here?

Below is the microsoft.yml for the Microsoft module:

# Module: microsoft
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.13/filebeat-module-microsoft.html

- module: microsoft
  # ATP configuration
  defender_atp:
    enabled: true
    # How often the API should be polled
    var.interval: 5m

    # Oauth Client ID
    var.oauth2.client.id: "Our Client ID"

    # Oauth Client Secret
#    var.oauth2.client.secret: "Our Secret"
    var.oauth2.client.secret: "Our Secret"

    # Oauth Token URL, should include the tenant ID
    var.oauth2.token_url: "https://login.microsoftonline.com/16ed5ab4-2b59-4e40-806d-8a30bdc9cf26/oauth2/token"
  m365_defender:
    enabled: true
    # How often the API should be polled
    var.interval: 5m

    # Oauth Client ID
    var.oauth2.client.id: "Our Client ID"

    # Oauth Client Secret
#    var.oauth2.client.secret: "Our Secret"
    var.oauth2.client.secret: "Our Secret"

    # Oauth Token URL, should include the tenant ID
    var.oauth2.token_url: "https://login.microsoftonline.com/16ed5ab4-2b59-4e40-806d-8a30bdc9cf26/oauth2/v2.0/token"
    
    # Related scopes, default should be included
    var.oauth2.scopes:
    - "https://api.security.microsoft.com/.default"
  dhcp:
    enabled: false

    # Set which input to use between udp (default), tcp or file.
    # var.input: udp
    # var.syslog_host: localhost
    # var.syslog_port: 9515

    # Set paths for the log files when file input is used.
    # var.paths:

    # Toggle output of non-ECS fields (default true).
    # var.rsa_fields: true

    # Set custom timezone offset.
    # "local" (default) for system timezone.
    # "+02:00" for GMT+02:00
    # var.tz_offset: local
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.