Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[m365_defender]: Support IdentityInfo events #12172

Open
rkerr opened this issue Dec 20, 2024 · 4 comments
Open

[m365_defender]: Support IdentityInfo events #12172

rkerr opened this issue Dec 20, 2024 · 4 comments
Labels
Integration:m365_defender Microsoft M365 Defender needs:triage Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]

Comments

@rkerr
Copy link

rkerr commented Dec 20, 2024

Integration Name

Microsoft M365 Defender [m365_defender]

Dataset Name

m365_defender.event

Integration Version

2.18.0

Agent Version

8.16.1

OS Version and Architecture

NA

User Goal

To be able to ingest the IdentityInfo event type as documented at https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-identityinfo-table.

Existing Features

The IdentitiyInfo event type is not listed as supported in the documentation, and ingesting it gives a not supported error.

What did you see?

error.message: The event category AdvancedHunting-IdentityInfo is not supported.

Anything else?

No response

@andrewkroh andrewkroh added Integration:m365_defender Microsoft M365 Defender Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Dec 20, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@jvalente-salemstate
Copy link

jvalente-salemstate commented Dec 22, 2024

IdentityInfo is one of a handful of tables that the XDR event streaming API doesn't export to an event hub. The DeviceTvm* tables are other examples.

@rkerr
Copy link
Author

rkerr commented Dec 24, 2024

I'm definitely seeing these events come through and getting an error.message: The event category AdvancedHunting-IdentityInfo is not supported.

It's interesting that doc lists some things as "Not Available" but doesn't list IdentityInfo at all - wondering if it might be a little out of date?

Alternatively this might be to do with how we ingest. I didn't set this up and the person that did is away for a few weeks. Our elastic instance is in azure and I know there's a native log forwarder for some types of azure logs that bypasses a lot of the APIs, but I didn't think it applied to the defender logs.

@jvalente-salemstate
Copy link

I'm definitely seeing these events come through and getting an error.message: The event category AdvancedHunting-IdentityInfo is not supported.

Checking our setup, this is case. The table wasn't available about a year ago but now I have 21/22 tables set to stream. IdentityInfo is the one not checked. Their documentation is definitely out of date.

Looking at the schema for the table, nearly all the parsing would be already in place . It just needs an additional condition for AdvancedHunting-IdentityInfo and couple fields to unique to the table.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Integration:m365_defender Microsoft M365 Defender needs:triage Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Development

No branches or pull requests

4 participants