Skip to content

m365_defender: Improve ECS Mappings for Detection Rules #10179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kcreddy merged 10 commits into from
Jun 24, 2024
Merged

m365_defender: Improve ECS Mappings for Detection Rules #10179

kcreddy merged 10 commits into from
Jun 24, 2024

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Jun 18, 2024
edited
Loading

Proposed commit message

A followup of PR https://github.com/elastic/integrations/pull/9860 
to add/enhance ECS mappings for detection rules.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

elastic-package stack down && elastic-package build && elastic-package stack up -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v

--- Test results for package: m365_defender - START ---
╭───────────────┬─────────────┬───────────┬─────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME                           │ RESULT │ TIME ELAPSED │
├───────────────┼─────────────┼───────────┼─────────────────────────────────────┼────────┼──────────────┤
│ m365_defender │ alert       │ pipeline  │ test-alert.log                      │ PASS   │   3.322375ms │
│ m365_defender │ event       │ pipeline  │ test-alert.log                      │ PASS   │   2.456875ms │
│ m365_defender │ event       │ pipeline  │ test-app-and-identity.log           │ PASS   │   3.136125ms │
│ m365_defender │ event       │ pipeline  │ test-device.log                     │ PASS   │  51.277041ms │
│ m365_defender │ event       │ pipeline  │ test-email.log                      │ PASS   │   3.302375ms │
│ m365_defender │ incident    │ pipeline  │ test-incident.log                   │ PASS   │  10.775042ms │
│ m365_defender │ log         │ pipeline  │ test-m365-defender-empty-ndjson.log │ PASS   │   1.258417ms │
│ m365_defender │ log         │ pipeline  │ test-m365-defender-ndjson.log       │ PASS   │   4.567333ms │
╰───────────────┴─────────────┴───────────┴─────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: m365_defender - END   ---
Done

            "registry": {
                "data": {
                    "type": "Binary"
                },
+                "hive": "HKLM",
                "key": "SYSTEM\\ControlSet001\\Control\\WMI\\Security",
-                "path": "SYSTEM\\ControlSet001\\Control\\WMI\\Security\\782655b2-0575-4aa2-82b8-7fd560afeff6",
+                "path": "HKLM\\SYSTEM\\ControlSet001\\Control\\WMI\\Security\\782655b2-0575-4aa2-82b8-7fd560afeff6",
                "value": "782655b2-0575-4aa2-82b8-7fd560afeff6"
            },

Related issues

Screenshots

@kcreddy kcreddy changed the title m265_defender: Improve ECS Mappings for Detection Rules m365_defender: Improve ECS Mappings for Detection Rules Jun 18, 2024
@elasticmachine
Copy link

elasticmachine commented Jun 18, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@kcreddy kcreddy added enhancement New feature or request Integration:m365_defender Microsoft Defender XDR labels Jun 18, 2024
@kcreddy kcreddy self-assigned this Jun 18, 2024
@kcreddy kcreddy mentioned this pull request Jun 18, 2024
Closed
@kcreddy kcreddy marked this pull request as ready for review June 19, 2024 08:28
@kcreddy kcreddy requested a review from a team as a code owner June 19, 2024 08:28
@kcreddy kcreddy added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Jun 19, 2024
@elasticmachine
Copy link

elasticmachine commented Jun 19, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

chrisberkhout
chrisberkhout reviewed Jun 19, 2024
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks fine.

It seems there are many non-deprecated rules that use hive abbreviations like HKLM:
repo:elastic/detection-rules language:TOML NOT path:/^rules\/_deprecated\// HKLM.

Should those all change?

cc @bczifra, @w0rk3r

@kcreddy
Copy link
Contributor Author

kcreddy commented Jun 19, 2024

It seems there are many non-deprecated rules that use hive abbreviations like HKLM:

@chrisberkhout, thanks for noticing these rules. Thats quite a few rules containing HKLM. While a similar query for HKEY_LOCAL_MACHINE containing rules: repo:elastic/detection-rules HKEY_LOCAL_MACHINE language:TOML NOT path:/^rules/_deprecated// did not yield many results and nothing on registry.path.

I am now inclined to make the registry.path use the abbreviated HKLM instead of HKEY_LOCAL_MACHINE.

@kcreddy
Copy link
Contributor Author

kcreddy commented Jun 21, 2024

@chrisberkhout @w0rk3r I updated registry.path with abbreviated registry.hive and also derived host.os.type based on event.category. Please feel free to review.

@kcreddy kcreddy requested review from chrisberkhout and w0rk3r June 21, 2024 06:34
@jamiehynds
Copy link

jamiehynds commented Jun 21, 2024

@kcreddy @w0rk3r Microsoft have recently rebranded M365 Defender to Microsoft XDR. We'll likely deprecate the current integration and move towards a new Microsoft XDR integration, where the custom fields will use microsoft_xdr. We'll reuse the existing M365D pipelines to preserve existing ECS mappings, but adjust custom field names, datastreams, etc.

We haven't started down that path yet, but want to get it on your radar to ensure detection rules will work with the current M365 Defender integration and future XDR integration.

@kcreddy kcreddy requested a review from chrisberkhout June 24, 2024 11:50
@elasticmachine
Copy link

elasticmachine commented Jun 24, 2024

💚 Build Succeeded

History

cc @kcreddy

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 24, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
94.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@w0rk3r
Copy link
Contributor

w0rk3r commented Jun 24, 2024

@jamiehynds so the data continue to be the same in the new integration, right? Do we have an estimate on when we are going to work on this?

w0rk3r
w0rk3r approved these changes Jun 24, 2024
View reviewed changes
packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml
Comment on lines +2076 to +2082
- set:
field: registry.value
description: Derived from previous value during registry changes.
copy_from: m365_defender.event.previous.registry_value_name
if: ctx.registry?.value == null
tag: set_registry_value_prev
ignore_empty_value: true
Copy link
Contributor

@w0rk3r w0rk3r Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only take effect if the above one is null, right?

Copy link
Contributor Author

@kcreddy kcreddy Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, so this processor only executes when if: ctx.registry?.value == null, i.e., when registry.value is not set from above.

@kcreddy kcreddy merged commit 3b36c28 into elastic:main Jun 24, 2024
@jamiehynds
Copy link

jamiehynds commented Jun 24, 2024

@jamiehynds so the data continue to be the same in the new integration, right? Do we have an estimate on when we are going to work on this?

We'll still collect the same data, but the custom fields would be different - using microsoft_xdr.* instead of the current m365_defender

No time frame yet as work has yet to start, but @cpascale43 will be working on an issue and identify additional data we can pull from Microsoft XDR on top of what we already collect.

@elasticmachine
Copy link

elasticmachine commented Jun 24, 2024

Package m365_defender - 2.14.0 containing this change is available at https://epr.elastic.co/search?package=m365_defender

@kcreddy kcreddy deleted the m365_def_detection_2 branch June 25, 2024 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

Assignees

@kcreddy kcreddy

Labels

enhancement New feature or request Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

5 participants

@kcreddy @elasticmachine @jamiehynds @w0rk3r @chrisberkhout