Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

beats/x-pack/filebeat/modules.d /microsoft.yml doesn't seem to work with GCC High / Gov Endpoints #42265

Open
mgovolt opened this issue Jan 8, 2025 · 2 comments
Labels
Team:Security-Service Integrations Security Service Integrations Team

Comments

@mgovolt
Copy link

mgovolt commented Jan 8, 2025

Should the microsoft.yml module work with Azure Gov Cloud GCC High endpoints? I have it working with Commercial endpoints but when I try to connect to a GCC High environment, it fails with errors that imply it will not work.

These are the repeated messages related to this module. Notice they spit out .com endpoint information but my config only references .us so I'm wondering if Filebeat has some hardcoded to Commercial-only setting that I don't see.

INFO:"input_source":"[https://api.securitycenter.windows.com/api/alerts","input_url":"https://api.securitycenter.windows.com/api/alerts"](https://api.securitycenter.windows.com/api/alerts%22,%22input_url%22:%22https://api.securitycenter.windows.com/api/alerts%22),
ERROR: "log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.run.func1","file.name":"httpjson/input.go","file.line":181},"message":"Error while processing http request: failed to collect first response: failed to execute http GET: server responded with status code 403: {\"error\":{\"code\":\"Unauthorized\",\"message\":\"Unauthorized request - No active license found\",\"target\":\"|72005c16-42d2962e60a4ab02.1.\"}}","service.name":"filebeat","id":"F1A4CDA01BB775AA","input_source":"[https://api.securitycenter.windows.com/api/alerts","input_url":"https://api.securitycenter.windows.com/api/alerts"](https://api.securitycenter.windows.com/api/alerts%22,%22input_url%22:%22https://api.securitycenter.windows.com/api/alerts%22),
ERROR: "log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.run.func1","file.name":"httpjson/input.go","file.line":181},"message":"Error while processing http request: failed to collect first response: failed to execute http GET: server responded with status code 401: {\"error\":{\"code\":\"Unauthorized\",\"message\":\"Invalid Authorization payload. AppId: <redacted>, Audience: https://api-gov.securitycenter.microsoft.us/, Issuer: https://sts.windows.net/<redacted>/, Validity: valid from 2025-01-08T13:23:11.0000000Z to 2025-01-08T14:28:11.0000000Z\",\"target\":\"|475cd4e1-46e6dd32f118aeda.1.\"}}","service.name":"filebeat","id":" A270928E6A164FD","input_source":"[https://api.security.microsoft.com/api/incidents","input_url":"https://api.security.microsoft.com/api/incidents"](https://api.security.microsoft.com/api/incidents%22,%22input_url%22:%22https://api.security.microsoft.com/api/incidents%22)

GCC Endpoints for reference - https://learn.microsoft.com/en-us/defender-endpoint/gov#api

For confirmed bugs, please report:

Here is a config with the endpoints changed to GCC endpoints.

# Module: microsoft
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.15/filebeat-module-microsoft.html

- module: microsoft
  # ATP configuration
  defender_atp:
    enabled: true
    # How often the API should be polled
    #var.interval: 5m

    # Oauth Client ID
    var.oauth2.client.id: "f17d530f-2f48-4d5c-8eac-2ec60d0a2939"

    # Oauth Client Secret
    var.oauth2.client.secret: "redacted"

    # Oauth Token URL, should include the tenant ID
    var.oauth2.token_url: "https://login.microsoftonline.us/redacted/oauth2/token"
    var.api:
    #   # Settings for custom endpoints:
      authentication_endpoint: "https://login.microsoftonline.us/"
      resource: "https://manage.office365.us"

  m365_defender:
    enabled: true
    # How often the API should be polled
    #var.interval: 5m

    # Oauth Client ID
    var.oauth2.client.id: "redacted"

    # Oauth Client Secret
    var.oauth2.client.secret: "redacted"

    # Oauth Token URL, should include the tenant ID
    var.oauth2.token_url: "https://login.microsoftonline.us/redacted/oauth2/v2.0/token"

    # Related scopes, default should be included
    var.oauth2.scopes:
      - "https://api-gov.securitycenter.microsoft.us/.default"

    var.api:
    #   # Settings for custom endpoints:
      authentication_endpoint: "https://login.microsoftonline.us/"
      resource: "https://manage.office365.us"
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 8, 2025
@mgovolt
Copy link
Author

mgovolt commented Jan 8, 2025

Do I, as the issue submitter, set the Team label? If so, what are my choices? I don't know which teams would be the right ones.

@jamiehynds jamiehynds added the Team:Security-Service Integrations Security Service Integrations Team label Jan 10, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Development

No branches or pull requests

3 participants