Skip to content

microsoft_defender_endpoint: add support for oauth endpoint params #15667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 22, 2025
Merged

microsoft_defender_endpoint: add support for oauth endpoint params #15667

merged 4 commits into from
Oct 22, 2025

Conversation

@chemamartinez
Copy link
Contributor

Proposed commit message

Add support for the oauth_endpoint_params configuration parameter for all available data streams.

Log data stream still works under httpjson so the option has been added under data stream level along with all the OAuth2 options for this data stream.

For the another data streams, as they work under the CEL input, it has been added at input level so adding any value to this option will affect all data streams that rely on CEL (machine, machine_action, and vulnerability).

Finally, the auth logic for the vulnerability data stream is implemented in the CEL program instead of delegate in the CEL auth options for the input. Therefore, the oauth endpoint params in this case are added manually in the program as well.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Screenshots

image
@chemamartinez chemamartinez self-assigned this Oct 16, 2025
@chemamartinez chemamartinez added enhancement New feature or request Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 16, 2025
@chemamartinez chemamartinez marked this pull request as ready for review October 16, 2025 11:12
@chemamartinez chemamartinez requested a review from a team as a code owner October 16, 2025 11:12
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 16, 2025
edited
Loading

🚀 Benchmarks report

Package microsoft_defender_endpoint 👍(3) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
log 3012.05 2525.25 -486.8 (-16.16%) 💔

To see the full report comment with /test benchmark fullreport
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Oct 16, 2025
efd6
efd6 reviewed Oct 20, 2025
View reviewed changes
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chemamartinez
@chemamartinez chemamartinez merged commit f75ddbe into elastic:main Oct 22, 2025
7 checks passed
@chemamartinez chemamartinez deleted the 15605-mdefender-endpoint-oauth-endpoint-params branch October 22, 2025 09:23
@elastic-vault-github-plugin-prod
Copy link

Package microsoft_defender_endpoint - 4.1.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_endpoint/4.1.0/
alexreal1314 pushed a commit to alexreal1314/integrations that referenced this pull request Oct 22, 2025
@chemamartinez @alexreal1314
microsoft_defender_endpoint: add support for oauth endpoint params (e…
5fa070b 
…lastic#15667) Add support for the oauth_endpoint_params configuration parameter for all available data streams. Log data stream still works under httpjson so the option has been added under data stream level along with all the OAuth2 options for this data stream. For the another data streams, as they work under the CEL input, it has been added at input level so adding any value to this option will affect all data streams that rely on CEL (machine, machine_action, and vulnerability). Finally, the auth logic for the vulnerability data stream is implemented in the CEL program instead of delegate in the CEL auth options for the input. Therefore, the oauth endpoint params in this case are added manually in the program as well.
kcreddy added a commit that referenced this pull request Oct 30, 2025
@kcreddy
{m365_defender,microsoft_defender_endpoint}.vulnerability: Handle emp…
77f1765 
…ty response and 403 (#15749) {m365_defender,microsoft_defender_endpoint}.vulnerability: Handle empty response and 403 due to expired URLs. We see cases where the API sends 200 with empty ("") response when fetching vulnerabilities using SAS URLs. Since this errored-URL is not removed from CEL work_list, it leads to following errors every interval: """ failed evaluation: failed eval: ERROR: <input>:2:43: file: EOF | state.?work_list.orValue([]).size() > 0 ? | ..........................................^ """ After a while when the signatures expire (controlled with `sas_valid_hours`), following error is noticed: """ <?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:xxxxxx-xxxx-x-xxx-- Time:2025-10-20T02:07:09.6560520Z</Message><AuthenticationErrorDetail>Signature not valid in the specified key time frame: Key start [Mon, 20 Oct 2025 01:05:29 GMT] - Key expiry [Mon, 20 Oct 2025 02:05:29 GMT] - Current [Mon, 20 Oct 2025 02:07:09 GMT]</AuthenticationErrorDetail></Error> """ Handle both these cases in {m365_defender,microsoft_defender_endpoint}.vulnerability data stream by adding specific error.message asking users to increase "SAS Valid Hours" config option. Add troubleshooting section inside the documentation indicating the same. Also, bring the m365_defender.vulnerability in parity with microsoft_defender_endpoint.vulnerability data stream adding oauth endpoint options from #15667.
agithomas pushed a commit to agithomas/integrations that referenced this pull request Oct 30, 2025
@chemamartinez @agithomas
microsoft_defender_endpoint: add support for oauth endpoint params (e…
daf90f2 
…lastic#15667) Add support for the oauth_endpoint_params configuration parameter for all available data streams. Log data stream still works under httpjson so the option has been added under data stream level along with all the OAuth2 options for this data stream. For the another data streams, as they work under the CEL input, it has been added at input level so adding any value to this option will affect all data streams that rely on CEL (machine, machine_action, and vulnerability). Finally, the auth logic for the vulnerability data stream is implemented in the CEL program instead of delegate in the CEL auth options for the input. Therefore, the oauth endpoint params in this case are added manually in the program as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:microsoft_defender_endpoint Microsoft Defender for Endpoint Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

4 participants

@chemamartinez @elasticmachine @efd6 @andrewkroh