I am testing the Filebeat Microsoft Module using the eicar test files from Download Anti Malware Testfile – Eicar.
I download one of the files. Then, Windows Defender AV "prevents" the infection (and generates events from Windows Defender AV). After waiting approximately 5 minutes, the intervals configured for the Microsoft module to pole for events, Kibana will have approximately 6 events per eicar test file that was downloaded/detected. Then, going forward, there will no longer be additional events associated with this activity. So it seems-like, to a degree (because it's not continuous), the Microsoft module is not aware of events it previously acquired. I have tested the polling interval using 2 minutes and 5 minutes. It does not seem to matter. We still get multiple events.
The Input URLs for the Microsoft Module are:
https://api.securitycenter.windows.com/api/alerts
https://api.security.microsoft.com/api/incidents
Could someone please explain what could be going on here?
Below is the microsoft.yml for the Microsoft module:
# Module: microsoft
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.13/filebeat-module-microsoft.html
- module: microsoft
# ATP configuration
defender_atp:
enabled: true
# How often the API should be polled
var.interval: 5m
# Oauth Client ID
var.oauth2.client.id: "Our Client ID"
# Oauth Client Secret
# var.oauth2.client.secret: "Our Secret"
var.oauth2.client.secret: "Our Secret"
# Oauth Token URL, should include the tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/16ed5ab4-2b59-4e40-806d-8a30bdc9cf26/oauth2/token"
m365_defender:
enabled: true
# How often the API should be polled
var.interval: 5m
# Oauth Client ID
var.oauth2.client.id: "Our Client ID"
# Oauth Client Secret
# var.oauth2.client.secret: "Our Secret"
var.oauth2.client.secret: "Our Secret"
# Oauth Token URL, should include the tenant ID
var.oauth2.token_url: "https://login.microsoftonline.com/16ed5ab4-2b59-4e40-806d-8a30bdc9cf26/oauth2/v2.0/token"
# Related scopes, default should be included
var.oauth2.scopes:
- "https://api.security.microsoft.com/.default"
dhcp:
enabled: false
# Set which input to use between udp (default), tcp or file.
# var.input: udp
# var.syslog_host: localhost
# var.syslog_port: 9515
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local