Update Microsoft Defender Readme

packages/microsoft_defender_endpoint/_dev/build/docs/README.md

@@ -1,10 +1,12 @@
 # Microsoft Defender for Endpoint integration
 
-This integration is for Microsoft Defender for Endpoint logs.
+This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs.
+
+## Setting up
 
 To allow the integration to ingest data from the Microsoft Defender API, you need to create a new application on your Azure domain. The procedure to create an application is found on the [Create a new Azure Application](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) documentation page.
 
-When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`) it will only grant access to read alerts from ATP and nothing else in the Azure Domain.
+> Note: When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`), it will only grant access to read alerts from ATP and nothing else in the Azure Domain
 
 After the application has been created, it should contain 3 values that you need to apply to the module configuration.
 
@@ -16,30 +18,30 @@ These values are:
 
 ## ECS mappings
 
-| Defender for Endpoint fields        | ECS Fields                     |
-|-------------------------------------|--------------------------------|
-| alertCreationTime                   | @timestamp                     |
-| aadTenantId                         | cloud.account.id               |
-| category                            | threat.technique.name          |
-| computerDnsName                     | host.hostname                  |
-| description                         | rule.description               |
-| detectionSource                     | observer.name                  |
-| evidence.fileName                   | file.name                      |
-| evidence.filePath                   | file.path                      |
-| evidence.processId                  | process.pid                    |
-| evidence.processCommandLine         | process.command_line           |
-| evidence.processCreationTime        | process.start                  |
-| evidence.parentProcessId            | process.parent.pid             |
-| evidence.parentProcessCreationTime  | process.parent.start           |
-| evidence.sha1                       | file.hash.sha1                 |
-| evidence.sha256                     | file.hash.sha256               |
-| evidence.url                        | url.full                       |
-| firstEventTime                      | event.start                    |
-| id                                  | event.id                       |
-| lastEventTime                       | event.end                      |
-| machineId                           | cloud.instance.id              |
-| title                               | message                        |
-| severity                            | event.severity                 |
+| Defender for Endpoint fields       | ECS Fields            |
+| ---------------------------------- | --------------------- |
+| alertCreationTime                  | @timestamp            |
+| aadTenantId                        | cloud.account.id      |
+| category                           | threat.technique.name |
+| computerDnsName                    | host.hostname         |
+| description                        | rule.description      |
+| detectionSource                    | observer.name         |
+| evidence.fileName                  | file.name             |
+| evidence.filePath                  | file.path             |
+| evidence.processId                 | process.pid           |
+| evidence.processCommandLine        | process.command_line  |
+| evidence.processCreationTime       | process.start         |
+| evidence.parentProcessId           | process.parent.pid    |
+| evidence.parentProcessCreationTime | process.parent.start  |
+| evidence.sha1                      | file.hash.sha1        |
+| evidence.sha256                    | file.hash.sha256      |
+| evidence.url                       | url.full              |
+| firstEventTime                     | event.start           |
+| id                                 | event.id              |
+| lastEventTime                      | event.end             |
+| machineId                          | cloud.instance.id     |
+| title                              | message               |
+| severity                           | event.severity        |
 
 {{event "log"}}
 

packages/microsoft_defender_endpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.2.1"
+  changes:
+    - description: Update to Readme to include link to vendor documentation
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3272
 - version: "2.2.0"
   changes:
     - description: Update to ECS 8.2

packages/microsoft_defender_endpoint/docs/README.md

@@ -1,10 +1,12 @@
 # Microsoft Defender for Endpoint integration
 
-This integration is for Microsoft Defender for Endpoint logs.
+This integration is for [Microsoft Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) logs.
+
+## Setting up
 
 To allow the integration to ingest data from the Microsoft Defender API, you need to create a new application on your Azure domain. The procedure to create an application is found on the [Create a new Azure Application](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) documentation page.
 
-When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`) it will only grant access to read alerts from ATP and nothing else in the Azure Domain.
+> Note: When giving the application the API permissions described in the documentation (`Windows Defender ATP Alert.Read.All`), it will only grant access to read alerts from ATP and nothing else in the Azure Domain
 
 After the application has been created, it should contain 3 values that you need to apply to the module configuration.
 
@@ -16,30 +18,30 @@ These values are:
 
 ## ECS mappings
 
-| Defender for Endpoint fields        | ECS Fields                     |
-|-------------------------------------|--------------------------------|
-| alertCreationTime                   | @timestamp                     |
-| aadTenantId                         | cloud.account.id               |
-| category                            | threat.technique.name          |
-| computerDnsName                     | host.hostname                  |
-| description                         | rule.description               |
-| detectionSource                     | observer.name                  |
-| evidence.fileName                   | file.name                      |
-| evidence.filePath                   | file.path                      |
-| evidence.processId                  | process.pid                    |
-| evidence.processCommandLine         | process.command_line           |
-| evidence.processCreationTime        | process.start                  |
-| evidence.parentProcessId            | process.parent.pid             |
-| evidence.parentProcessCreationTime  | process.parent.start           |
-| evidence.sha1                       | file.hash.sha1                 |
-| evidence.sha256                     | file.hash.sha256               |
-| evidence.url                        | url.full                       |
-| firstEventTime                      | event.start                    |
-| id                                  | event.id                       |
-| lastEventTime                       | event.end                      |
-| machineId                           | cloud.instance.id              |
-| title                               | message                        |
-| severity                            | event.severity                 |
+| Defender for Endpoint fields       | ECS Fields            |
+| ---------------------------------- | --------------------- |
+| alertCreationTime                  | @timestamp            |
+| aadTenantId                        | cloud.account.id      |
+| category                           | threat.technique.name |
+| computerDnsName                    | host.hostname         |
+| description                        | rule.description      |
+| detectionSource                    | observer.name         |
+| evidence.fileName                  | file.name             |
+| evidence.filePath                  | file.path             |
+| evidence.processId                 | process.pid           |
+| evidence.processCommandLine        | process.command_line  |
+| evidence.processCreationTime       | process.start         |
+| evidence.parentProcessId           | process.parent.pid    |
+| evidence.parentProcessCreationTime | process.parent.start  |
+| evidence.sha1                      | file.hash.sha1        |
+| evidence.sha256                    | file.hash.sha256      |
+| evidence.url                       | url.full              |
+| firstEventTime                     | event.start           |
+| id                                 | event.id              |
+| lastEventTime                      | event.end             |
+| machineId                          | cloud.instance.id     |
+| title                              | message               |
+| severity                           | event.severity        |
 
 An example event for `log` looks as following:
 

packages/microsoft_defender_endpoint/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: microsoft_defender_endpoint
 title: Microsoft Defender for Endpoint
-version: 2.2.0
+version: 2.2.1
 description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent.
 categories:
   - "network"