Skip to content

[m365_defender] Enhance ECS Mappings and Refactor the Dashboards #16676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mohitjha-elastic wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[m365_defender] Enhance ECS Mappings and Refactor the Dashboards #16676

mohitjha-elastic wants to merge 4 commits into from
+3,631 −3,221

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Dec 23, 2025

Proposed commit message

m365_defender: Enhance ECS mappings and refactor Defender dashboards.

This change enhances ECS mappings across all datasets to improve field consistency and alignment. 
The dashboard navigation has been updated to support the links panel widget and reorganized by event 
types rather than ingestion method. Visualization titles were cleaned up by removing redundant 
“[Logs Microsoft Defender XDR]” text where possible, and dashboard names were updated for 
better clarity. The Alert dashboard was refactored to improve usability, including the addition of a 
saved search visualization. Unused screenshots were removed, and existing integration screenshots 
were updated to reflect the latest dashboard changes.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/m365_defender directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issues

Screenshots

Logs-Microsoft-Defender-XDR-Alert-Elastic-12-23-2025_01_11_PM Logs-Microsoft-Defender-XDR-App-Identity-Elastic-12-23-2025_01_10_PM Logs-Microsoft-Defender-XDR-Device-Elastic-12-23-2025_01_10_PM Logs-Microsoft-Defender-XDR-Vulnerability-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Incident-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Email-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Alert-Elastic-12-23-2025_01_08_PM

@mohitjha-elastic mohitjha-elastic self-assigned this Dec 23, 2025
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Integration:m365_defender Microsoft Defender XDR Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Dec 23, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Dec 23, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Dec 23, 2025

💚 Build Succeeded

History

cc @mohitjha-elastic

@mohitjha-elastic mohitjha-elastic marked this pull request as ready for review December 23, 2025 10:33
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner December 23, 2025 10:33
@elasticmachine
Copy link

elasticmachine commented Dec 23, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kcreddy kcreddy self-requested a review December 24, 2025 08:44
kcreddy
kcreddy reviewed Dec 26, 2025
View reviewed changes
packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Comment on lines +470 to +474
append:
field: host.ip
tag: append_ip_interfaces_to_host_ip
value: '{{{_ingest._value}}}'
allow_duplicates: false
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use convert processor with on_failure instead of an append?

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The field used to populate host.ip has already been converted to the IP type earlier; therefore, the append processor is used here.

packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
source: |
def processExecutable = new HashSet();
for (evidence in ctx.json.evidence) {
if (evidence?.image_file?.path != null && evidence?.image_file?.name != null) {
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (evidence?.image_file?.path != null && evidence?.image_file?.name != null) {
if (evidence?.image_file?.path != null && evidence.image_file.name != null) {

packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2275 to +2277
if (!(ctx.process instanceof HashMap)) {
ctx.process = new HashMap();
}
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (!(ctx.process instanceof HashMap)) {
ctx.process = new HashMap();
}
ctx.process = ctx.process ?: [:];

packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
ctx.process = new HashMap();
}
def execList = new ArrayList(processExecutable);
Collections.sort(execList);
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this sorting was done, the it could remove the relationship with custom array fields, making it difficult to analyse. Is it required?

packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
ignore_missing: true
- script:
description: Set process.executable from evidence image_file path and name.
tag: script_set_process_executable_from_image_file
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's existing script processors for process and parent process: https://github.com/elastic/integrations/blob/main/packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml#L2449
Can you utilise them instead of a new one?

packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml
- m365_defender.incident.alert.service_source
- m365_defender.incident.web_url
- m365_defender.incident.assigned_to
- m365_defender.incident.alert.threat_family_name
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same for the alert data stream as well.

packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
Comment on lines +264 to +268
- set:
field: '@timestamp'
tag: set_timestamp_from_last_seen_timestamp
copy_from: m365_defender.vulnerability.last_seen_timestamp
ignore_empty_value: true
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is full ingest, so no need to set timestamp to document time.

packages/m365_defender/img/m365_defender-alert-api.png
Copy link
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update Severity Over Time to reflect severity labels (medium, low, high) instead of numbers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

Category: Integration quality Category: Quality used for SI planning dashboard Relates to a Kibana dashboard bug, enhancement, or modification. enhancement New feature or request Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

m365_defender: Dashboard improvements

3 participants

@mohitjha-elastic @elasticmachine @kcreddy