Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#11810 - Enabling m365_defender with Agentless deployment #12891

Merged
merged 4 commits into from
Mar 4, 2025
Merged

#11810 - Enabling m365_defender with Agentless deployment #12891

merged 4 commits into from
Mar 4, 2025

Conversation

qcorporation
Copy link
Collaborator

@qcorporation qcorporation commented Feb 25, 2025
edited
Loading

Parent Ticket:
#11810

Proposed commit message

  • Updated the documentation based upon agreed upon language to highlight that the integration now supports Agentless deployment
    Screenshot 2025-02-25 at 11 48 36 AM

  • Upgraded the format_version to latest, 3.2.3

  • Updated Kibana version constraints to ^8.18 || ^9.0.0

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  1. Create a new account within Azure and register a new application with the below permissions
  "SecurityAlert.Read.All",
  "SecurityAlert.ReadWrite.All",
  "SecurityIncident.Read.All",
  "SecurityIncident.ReadWrite.All"

Note that Incident.Read.All and Incident.ReadWrite.All was not added as these APIs permissions are not available anymore within the permissions list and the integration has marked as deprecated
2. Fill in the client id, client secret and tenant id and install the integration, only tested API and did NOT setup Azure Event Hub
3. The integration does not fetch past events and only events from the time the integration is installed so I was forced to use msgraph import GraphServiceClient to touch an existing Incident, this allowed the Incident to update it's date field and the data was ingested into ES via Agentless Agent
4. Validated that the incidents that were touched were seen within Elasticsearch/Kibana
5. Validated that agent logs did not show any errors

@qcorporation qcorporation added enhancement New feature or request Team:Service-Integrations Label for the Service Integrations team Integration:m365_defender Microsoft M365 Defender labels Feb 25, 2025
@qcorporation qcorporation requested a review from a team February 25, 2025 16:57
@qcorporation qcorporation self-assigned this Feb 25, 2025
@qcorporation qcorporation requested a review from a team February 25, 2025 17:02
@qcorporation qcorporation added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Feb 25, 2025
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@qcorporation qcorporation marked this pull request as ready for review February 25, 2025 18:31
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

andrewkroh
andrewkroh approved these changes Mar 3, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @qcorporation

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@qcorporation qcorporation merged commit 3e74a63 into main Mar 4, 2025
7 checks passed
@qcorporation qcorporation deleted the m365_defender_agentless branch March 4, 2025 18:15
@elastic-vault-github-plugin-prod
Copy link

Package m365_defender - 2.24.0 containing this change is available at https://epr.elastic.co/package/m365_defender/2.24.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@qcorporation qcorporation

Labels
enhancement New feature or request Integration:m365_defender Microsoft M365 Defender Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] Team:Service-Integrations Label for the Service Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qcorporation @elasticmachine @andrewkroh