From d500faf7729571595d7aeef37fb7bc26118b0c55 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 30 Mar 2021 15:44:51 +0200 Subject: [PATCH 1/2] [Filebeat] Update Oauth2 flow for m365 defender fileset (#24829) * updating m365 config and documentation to match new Oauth2 authentication flow * Update changelog (cherry picked from commit 55be313dfb010e8f4f4da224fe41fb5bdb3b6f10) --- CHANGELOG.next.asciidoc | 3 +++ filebeat/docs/modules/microsoft.asciidoc | 8 +++++++- x-pack/filebeat/filebeat.reference.yml | 6 +++++- x-pack/filebeat/module/microsoft/_meta/config.yml | 6 +++++- x-pack/filebeat/module/microsoft/_meta/docs.asciidoc | 8 +++++++- .../module/microsoft/m365_defender/config/defender.yml | 2 -- x-pack/filebeat/modules.d/microsoft.yml.disabled | 6 +++++- 7 files changed, 32 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 78c538c2fa7..47f24e7417b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -204,6 +204,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Cisco AMP `@metadata._id` calculation {issue}24717[24717] {pull}24718[24718] - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] +- Fix date parsing in GSuite/login fileset. {issue}24694[24694] +- Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766] +- Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829] *Heartbeat* diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index f446d8a5bb6..f82d99f3c27 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -54,7 +54,9 @@ Example config: enabled: true var.oauth2.client.id: "123abc-879546asd-349587-ad64508" var.oauth2.client.secret: "980453~-Sg99gedf" - var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token" + var.oauth2.scopes: + - "https://api.security.microsoft.com/.default" ---- *`var.oauth2.client.id`*:: @@ -69,6 +71,10 @@ The secret related to the client ID. A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. +*`var.oauth2.scopes`*:: + +A list of included scopes, should use .default unless different is specified. + [float] ==== 365 Defender ECS fields diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 65c0f35f96a..b128d6eedd6 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1369,7 +1369,11 @@ filebeat.modules: #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index ee06eea9228..a168b621ba5 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -25,7 +25,11 @@ #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 947cf39f1bb..dba51821e53 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -49,7 +49,9 @@ Example config: enabled: true var.oauth2.client.id: "123abc-879546asd-349587-ad64508" var.oauth2.client.secret: "980453~-Sg99gedf" - var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/v2.0/token" + var.oauth2.scopes: + - "https://api.security.microsoft.com/.default" ---- *`var.oauth2.client.id`*:: @@ -64,6 +66,10 @@ The secret related to the client ID. A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. +*`var.oauth2.scopes`*:: + +A list of included scopes, should use .default unless different is specified. + [float] ==== 365 Defender ECS fields diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml index 52ebe56c3b1..2838709a3b2 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -6,8 +6,6 @@ config_version: "2" interval: {{ .interval }} auth.oauth2: {{ .oauth2 | tojson }} -auth.oauth2.provider: azure -auth.oauth2.azure.resource: https://api.securitycenter.windows.com/ request.url: "https://api.security.microsoft.com/api/incidents" request.method: GET diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index b0a1b10c6d5..f73c209386d 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -28,7 +28,11 @@ #var.oauth2.client.secret: "" # Oauth Token URL, should include the tenant ID - #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/v2.0/token" + + # Related scopes, default should be included + #var.oauth2.scopes: + # - "https://api.security.microsoft.com/.default" dhcp: enabled: true From bda50e5aa30d9db2acb794480714d369156ca682 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 30 Mar 2021 16:19:38 +0200 Subject: [PATCH 2/2] Update CHANGELOG.next.asciidoc --- CHANGELOG.next.asciidoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 47f24e7417b..40f079d9899 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -204,8 +204,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Cisco AMP `@metadata._id` calculation {issue}24717[24717] {pull}24718[24718] - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] -- Fix date parsing in GSuite/login fileset. {issue}24694[24694] -- Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766] - Updating Oauth2 flow for m365_defender fileset. {pull}24829[24829] *Heartbeat*