[M365 Defender][Microsoft Defender Endpoint] Add support of vulnerability data-stream

packages/m365_defender/_dev/deploy/docker/docker-compose.yml

@@ -26,3 +26,16 @@ services:
  - --exit-on-unmatched-rule
  - --addr=:8080
  - --config=/config.yml
+ m365-defender-vulnerability-cel:
+ image: docker.elastic.co/observability/stream:v0.15.0
+ ports:
+ - 8080
+ volumes:
+ - ./vulnerability-http-mock-config.yml:/config.yml
+ environment:
+ PORT: 8080
+ command:
+ - http-server
+ - --exit-on-unmatched-rule
+ - --addr=:8080
+ - --config=/config.yml

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.8.0"
+ changes:
+ - description: Add vulnerability data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/13595
 - version: "3.7.0"
  changes:
  - description: Set `device.id` in all datasets and `application.name` in event dataset.

packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,5 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
+dynamic_fields:
+ "event.id": ".*"

packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log

@@ -0,0 +1,4 @@
+{"affectedMachine":{"id":"86c0491db8ff7e8dcad520288b7759fa27793ce1-_-CVE-2024-11168-_-red_hat-_-python-unversioned-command_for_linux-_-0:3.9.18-3.el9_4.6-_-","cveId":"CVE-2024-11168","machineId":"86c0491db8ff7e8dcad520288b7759fa27793ce1","fixingKbId":null,"productName":"python-unversioned-command_for_linux","productVendor":"red_hat","productVersion":"0:3.9.18-3.el9_4.6","severity":"Medium","mergedIntoMachineId":null,"isPotentialDuplication":false,"isExcluded":false,"exclusionReason":null,"computerDnsName":"C-Lab-33","firstSeen":"2024-11-06T09:57:53.476232Z","lastSeen":"2025-05-12T04:13:23.7778534Z","osPlatform":"RedHatEnterpriseLinux","osVersion":null,"osProcessor":"x64","version":"9.4","lastIpAddress":"89.160.20.112","lastExternalIpAddress":"175.16.199.0","agentVersion":"30.124082.4.0","osBuild":null,"healthStatus":"Active","deviceValue":"Normal","rbacGroupId":0,"rbacGroupName":null,"riskScore":"High","exposureLevel":"High","isAadJoined":false,"aadDeviceId":null,"machineTags":["C-Lab-Linux"],"onboardingStatus":"Onboarded","osArchitecture":"64-bit","managedBy":"MicrosoftDefenderForEndpoint","managedByStatus":"Success","ipAddresses":[{"ipAddress":"89.160.20.112","macAddress":"00505681A42F","type":"Other","operationalStatus":"Up"},{"ipAddress":"67.43.156.0","macAddress":"000000000000","type":"Other","operationalStatus":"Up"}],"vmMetadata":null},"id":"CVE-2024-11168","name":"CVE-2024-11168","description":"Summary: Pythons CPython implementation contains a vulnerability (CVE-2024-11168) in the urllib.parse.urlsplit() and urlparse() functions, where bracketed hosts (`[]`) are improperly validated. This issue allows non-IPv6 or non-IPvFuture hosts, violating RFC 3986 standards. If a URL is processed by multiple parsers, this flaw could enable Server-Side Request Forgery (SSRF) attacks. Impact: Exploitation of this vulnerability could allow attackers to conduct SSRF attacks, potentially leading to unauthorized access to internal systems or sensitive data. AdditionalInformation: This vulnerability affects Python versions prior to 3.9.19-7. It is recommended to review the CVE page for further technical details and associated CVSS scores. Remediation: Upgrade to Python version 3.9.21 or later. [Generated by AI]","severity":"Medium","cvssV3":6.3,"cvssVector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X","exposedMachines":2,"publishedOn":"2023-04-25T16:00:00Z","updatedOn":"2025-04-11T22:15:28.96Z","firstDetected":"2025-05-02T05:36:57Z","patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":["Remote"],"exploitUris":[],"cveSupportability":"Supported","tags":[],"epss":0.00154}
+{"affectedMachine":{"aadDeviceId":"79dc383d-1ba1-4ac9-9dca-792e881a5034","agentVersion":"10.8760.19045.5011","computerDnsName":"c-lab-14","cveId":"CVE-2025-24062","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"High","firstSeen":"2024-11-05T11:55:28.5899758Z","fixingKbId":"5055518","healthStatus":"Active","id":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a-_-CVE-2025-24062-_-microsoft-_-windows_10-_-10.0.19045.5011-_-5055518","ipAddresses":[{"ipAddress":"1.128.0.0","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"2a02:cf40::","macAddress":"00505683B889","operationalStatus":"Up","type":"Ethernet"},{"ipAddress":"81.2.69.192","macAddress":null,"operationalStatus":"Up","type":"SoftwareLoopback"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"89.160.20.112","lastIpAddress":"175.16.199.0","lastSeen":"2025-04-21T08:24:41.3833512Z","machineId":"fd43e5b3ba69b8ecffb165017d9c8687f24e246a","machineTags":[],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"windows_10","productVendor":"microsoft","productVersion":"10.0.19045.5011","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7.8,"cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: An improper input validation vulnerability exists in the Windows DWM Core Library, which could allow an authorized attacker to locally elevate their privileges. Impact: Successful exploitation of this vulnerability could result in unauthorized privilege escalation, potentially compromising system integrity. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00073,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":7,"firstDetected":"2025-04-08T18:00:48Z","id":"CVE-2025-24062","name":"CVE-2025-24062","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2025-04-08T07:00:00Z","severity":"High","tags":["test"],"updatedOn":"2025-04-09T20:03:01.577Z"}
+{"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029}
+{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}