File: //usr/share/filebeat/module/microsoft/defender_atp/config/atp.yml
{{ if eq .input "httpjson" }}
type: httpjson
config_version: "2"
interval: {{ .interval }}
auth.oauth2: {{ .oauth2 | tojson }}
auth.oauth2.provider: azure
auth.oauth2.azure.resource: https://api.securitycenter.windows.com/
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.url: "https://api.securitycenter.windows.com/api/alerts"
request.method: GET
request.transforms:
- set:
target: "header.User-Agent"
value: "MdatpPartner-Elastic-Filebeat/1.0.0"
- set:
target: "url.params.$expand"
value: evidence
- set:
target: "url.params.$filter"
value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05.9999999Z"]]'
response.split:
target: body.value
ignore_empty_value: true
split:
target: body.evidence
keep_parent: true
cursor:
lastUpdateTime:
value: "[[.last_response.body.lastUpdateTime]]"
{{ else if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ end }}
tags: {{ .tags | tojson }}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- decode_json_fields:
fields: [message]
target: json
- add_fields:
target: ''
fields:
ecs.version: 1.12.0