Skip to content

Commit

Permalink
[Filebeat] Update Oauth2 flow for m365 defender fileset (#24829) (#25227
Browse files Browse the repository at this point in the history
)

* updating m365 config and documentation to match new Oauth2 authentication flow

* Update changelog

(cherry picked from commit 55be313)
  • Loading branch information
P1llus authored Apr 23, 2021
1 parent b2f055d commit 39849e2
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 7 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix IPtables Pipeline and Ubiquiti dashboard. {issue}24878[24878] {pull}24928[24928]
- Fix gcp module field names to use gcp instead of googlecloud. {pull}25038[25038]
- Strip Azure Eventhub connection string in debug logs. {pulll}25066[25066]
- Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829]

*Heartbeat*

Expand Down
8 changes: 7 additions & 1 deletion filebeat/docs/modules/microsoft.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,9 @@ Example config:
enabled: true
var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
var.oauth2.client.secret: "980453~-Sg99gedf"
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token"
var.oauth2.scopes:
- "https://api.security.microsoft.com/.default"
----

*`var.oauth2.client.id`*::
Expand All @@ -69,6 +71,10 @@ The secret related to the client ID.

A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.

*`var.oauth2.scopes`*::

A list of included scopes, should use .default unless different is specified.

[float]
==== 365 Defender ECS fields

Expand Down
6 changes: 5 additions & 1 deletion x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1510,7 +1510,11 @@ filebeat.modules:
#var.oauth2.client.secret: ""

# Oauth Token URL, should include the tenant ID
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token"

# Related scopes, default should be included
#var.oauth2.scopes:
# - "https://api.security.microsoft.com/.default"
dhcp:
enabled: true

Expand Down
6 changes: 5 additions & 1 deletion x-pack/filebeat/module/microsoft/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,11 @@
#var.oauth2.client.secret: ""

# Oauth Token URL, should include the tenant ID
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token"

# Related scopes, default should be included
#var.oauth2.scopes:
# - "https://api.security.microsoft.com/.default"
dhcp:
enabled: true

Expand Down
8 changes: 7 additions & 1 deletion x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,9 @@ Example config:
enabled: true
var.oauth2.client.id: "123abc-879546asd-349587-ad64508"
var.oauth2.client.secret: "980453~-Sg99gedf"
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token"
var.oauth2.scopes:
- "https://api.security.microsoft.com/.default"
----

*`var.oauth2.client.id`*::
Expand All @@ -64,6 +66,10 @@ The secret related to the client ID.

A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.

*`var.oauth2.scopes`*::

A list of included scopes, should use .default unless different is specified.

[float]
==== 365 Defender ECS fields

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ config_version: "2"
interval: {{ .interval }}

auth.oauth2: {{ .oauth2 | tojson }}
auth.oauth2.provider: azure
auth.oauth2.azure.resource: https://api.securitycenter.windows.com/

{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
Expand Down
6 changes: 5 additions & 1 deletion x-pack/filebeat/modules.d/microsoft.yml.disabled
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@
#var.oauth2.client.secret: ""

# Oauth Token URL, should include the tenant ID
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token"
#var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token"

# Related scopes, default should be included
#var.oauth2.scopes:
# - "https://api.security.microsoft.com/.default"
dhcp:
enabled: true

Expand Down

0 comments on commit 39849e2

Please sign in to comment.