Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation#15603

Merged
efd6 merged 15 commits intoelastic:mainfrom
kcreddy:mde-vuln-reqrite
Oct 12, 2025
Merged

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementation#15603
efd6 merged 15 commits intoelastic:mainfrom
kcreddy:mde-vuln-reqrite

Conversation

@kcreddy
Copy link
Contributor

@kcreddykcreddy commentedOct 8, 2025
edited
Loading

Proposed commit message

{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementationExisting CEL program uses 3 API endpoints to fetch vulnerabilitydata. Although we fetch more fields using this approach, it doesn't scale well and hence is unusable even for few hundred machines.This PR updates the vulnerability data stream with new SoftwareVulnerabilitiesExport API[1], which is recommended for larger workloads. While there are few data points missed in this new implementation[2], we maintain all the required fields for 3rd party vulnerability workflow[3].Other changes:- Updates microsoft_defender_endpoint min stack version to "8.19.3"  as the permissions for the transform were actually applied in   "8.19.3" version, and not in "8.19.2"[4].- Add dataset filter to all visualisations of vulnerability dashboards.[1]: https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities#2-export-software-vulnerabilities-assessment-via-files[2]: https://github.com/elastic/integrations/issues/15521#issuecomment-3380969284[3]: https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide[4]: https://github.com/elastic/elasticsearch/pull/132629

Checklist

  • I have reviewedtips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package'schangelog.yml file.
  • I have verified that Kibana version constraints are current according toguidelines.
  • I have verified that any added dashboard complies with Kibana'sDashboard good practices

Author's Checklist

  • Verified there are no prebuilt rules effected by this change.
  • Update dashboards to remove references to old fields.
  • Add video for upgrade flow.

How to test this PR locally

Pipeline tests and System tests pass.

--- Test results for package: m365_defender - START ---╭───────────────┬───────────────┬───────────┬───────────────────────────────────────────────────┬────────┬──────────────╮│ PACKAGE       │ DATA STREAM   │ TEST TYPE │ TEST NAME                                         │ RESULT │ TIME ELAPSED │├───────────────┼───────────────┼───────────┼───────────────────────────────────────────────────┼────────┼──────────────┤│ m365_defender │ vulnerability │ pipeline  │ (ingest pipeline warnings test-vulnerability.log) │ PASS   │ 480.561041ms ││ m365_defender │ vulnerability │ pipeline  │ test-vulnerability.log                            │ PASS   │  87.309125ms │╰───────────────┴───────────────┴───────────┴───────────────────────────────────────────────────┴────────┴──────────────╯--- Test results for package: m365_defender - END   ---Done

Related issues

Screenshots

Updated dashboards:

m365-defender-vulnerabilitymicrosoft_defender_endpoint-vulnerability_overview

Upgrade Flow

mde-vulnerability-3.1-to-3.2-upgrade-flow.mp4

@andrewkrohandrewkroh added Integration:microsoft_defender_endpointMicrosoft Defender for Endpoint dashboardRelates to a Kibana dashboard bug, enhancement, or modification. documentationImprovements or additions to documentation. Applied to PRs that modify *.md files. labelsOct 8, 2025
@kcreddykcreddy marked this pull request as ready for reviewOctober 9, 2025 19:24
@kcreddykcreddy requested a review froma team as acode ownerOctober 9, 2025 19:24
@kcreddykcreddy added the Integration:m365_defenderMicrosoft Defender XDR labelOct 9, 2025
@kcreddykcreddy self-assigned thisOct 9, 2025
@andrewkrohandrewkroh added the Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations] labelOct 9, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kcreddykcreddy requested a review fromefd6October 10, 2025 05:48
@kcreddykcreddy requested a review fromefd6October 10, 2025 07:40
@kcreddykcreddy changed the title{microsoft_defender_endpoint, m365_defender}.vulnerability: Update implementation{microsoft_defender_endpoint, m365_defender}.vulnerability: New API implementationOct 10, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prodbot commentedOct 10, 2025
edited
Loading

🚀 Benchmarks report

Packagemicrosoft_defender_endpoint 👍(2) 💚(1) 💔(1)

Expand to view
Data streamPrevious EPSNew EPSDiff (%)Result
machine3086.422392.34-694.08 (-22.49%)💔

To see the full report comment with/test benchmark fullreport

@brijesh-elastic
Copy link
Collaborator

Since there is a change in the transform schema, thefleet_transform_version and destination indices need to be updated.

kcreddy reacted with thumbs up emoji

@elasticmachine
Copy link

💚 Build Succeeded

History

cc@kcreddy

@efd6efd6 merged commit7c2d2ef intoelastic:mainOct 12, 2025
7 checks passed
@elastic-vault-github-plugin-prod

Package m365_defender - 5.0.0 containing this change is available athttps://epr.elastic.co/package/m365_defender/5.0.0/

@elastic-vault-github-plugin-prod

Package microsoft_defender_endpoint - 4.0.0 containing this change is available athttps://epr.elastic.co/package/microsoft_defender_endpoint/4.0.0/

agithomas pushed a commit to agithomas/integrations that referenced this pull requestOct 30, 2025
…plementation (elastic#15603)Existing CEL program uses 3 API endpoints to fetch vulnerabilitydata. Although we fetch more fields using this approach, it doesn't scale well and hence is unusable even for few hundred machines.This PR updates the vulnerability data stream with new SoftwareVulnerabilitiesExport API[1], which is recommended for larger workloads. While there are few data points missed in this new implementation[2], we maintain all the required fields for 3rd party vulnerability workflow[3].Other changes:- Updates microsoft_defender_endpoint min stack version to "8.19.3"  as the permissions for the transform were actually applied in   "8.19.3" version, and not in "8.19.2"[4].- Add dataset filter to all visualisations of vulnerability dashboards.[1]:https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities#2-export-software-vulnerabilities-assessment-via-files[2]:elastic#15521 (comment)[3]:https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide[4]:elastic/elasticsearch#132629
tehbooom pushed a commit to tehbooom/integrations that referenced this pull requestNov 19, 2025
…plementation (elastic#15603)Existing CEL program uses 3 API endpoints to fetch vulnerabilitydata. Although we fetch more fields using this approach, it doesn't scale well and hence is unusable even for few hundred machines.This PR updates the vulnerability data stream with new SoftwareVulnerabilitiesExport API[1], which is recommended for larger workloads. While there are few data points missed in this new implementation[2], we maintain all the required fields for 3rd party vulnerability workflow[3].Other changes:- Updates microsoft_defender_endpoint min stack version to "8.19.3"  as the permissions for the transform were actually applied in   "8.19.3" version, and not in "8.19.2"[4].- Add dataset filter to all visualisations of vulnerability dashboards.[1]:https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities#2-export-software-vulnerabilities-assessment-via-files[2]:elastic#15521 (comment)[3]:https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide[4]:elastic/elasticsearch#132629
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@brijesh-elasticbrijesh-elasticbrijesh-elastic left review comments

@efd6efd6efd6 approved these changes

Assignees

@kcreddykcreddy

Labels

breaking changedashboardRelates to a Kibana dashboard bug, enhancement, or modification.documentationImprovements or additions to documentation. Applied to PRs that modify *.md files.Integration:m365_defenderMicrosoft Defender XDRIntegration:microsoft_defender_endpointMicrosoft Defender for EndpointTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

{microsoft_defender_endpoint, m365_defender}: vulnerability data stream scaling problem

5 participants

@kcreddy@elasticmachine@brijesh-elastic@efd6@andrewkroh

Comments


[8]ページ先頭

©2009-2026 Movatter.jp