Skip to content

[Microsoft Defender XDR] Add support for cloud events#17612

Merged
moxarth-rathod merged 6 commits intoelastic:mainfrom
moxarth-rathod:m365-defender-cloud-apps
Mar 6, 2026
Merged

[Microsoft Defender XDR] Add support for cloud events#17612
moxarth-rathod merged 6 commits intoelastic:mainfrom
moxarth-rathod:m365-defender-cloud-apps

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Mar 2, 2026

Proposed commit message

m365_defender: add support for cloud events tables

This extends the integration to handle CloudAuditEvents, CloudProcessEvents, 
and CloudStorageAggregatedEvents tables from  the Microsoft 365 Defender Advanced Hunting API,
enabling comprehensive monitoring of cloud infrastructure activities, 
process executions, and storage operations.

Test logs were generated based on documentation.

API documentation:
- CloudAuditEvents: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudauditevents-table
- CloudProcessEvents: https://docs.azure.cn/en-us/azure-monitor/reference/tables/cloudprocessevents
- CloudStorageAggregatedEvents: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudstorageaggregatedevents-table
- Advanced Hunting API: https://learn.microsoft.com/en-us/defender-endpoint/api/run-advanced-query-api

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/m365_defender directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Mar 2, 2026
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner March 2, 2026 05:29
@moxarth-rathod moxarth-rathod added enhancement New feature or request Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Mar 2, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 2, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 2, 2026
edited
Loading

🚀 Benchmarks report

Package m365_defender 👍(2) 💚(1) 💔(5)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
incident 1157.41 891.03 -266.38 (-23.02%) 💔
vulnerability 14705.88 6720.43 -7985.45 (-54.3%) 💔
alert 900.09 761.61 -138.48 (-15.39%) 💔
event 725.16 530.79 -194.37 (-26.8%) 💔
vulnerability 14705.88 8547.01 -6158.87 (-41.88%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Mar 2, 2026
@kcreddy kcreddy self-requested a review March 3, 2026 08:37
kcreddy
kcreddy reviewed Mar 3, 2026
View reviewed changes
@moxarth-rathod moxarth-rathod requested a review from kcreddy March 5, 2026 09:24
moxarth-rathod and others added 2 commits March 5, 2026 17:17
@moxarth-rathod @kcreddy
Update packages/m365_defender/data_stream/event/elasticsearch/ingest_…
4a2123d 
…pipeline/pipeline_app_and_identity.yml

Co-authored-by: Krishna Chaitanya Reddy Burri <krish.reddy91@gmail.com>
@moxarth-rathod
Address PR comments
d936e48
@moxarth-rathod moxarth-rathod requested a review from kcreddy March 5, 2026 12:24
@elasticmachine
Copy link

elasticmachine commented Mar 5, 2026

💚 Build Succeeded

History

cc @moxarth-rathod

@moxarth-rathod moxarth-rathod requested a review from kcreddy March 6, 2026 04:52
@moxarth-rathod moxarth-rathod merged commit d3301a3 into elastic:main Mar 6, 2026
14 checks passed
@moxarth-rathod moxarth-rathod mentioned this pull request Mar 6, 2026
Closed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 6, 2026

Package m365_defender - 5.11.0 containing this change is available at https://epr.elastic.co/package/m365_defender/5.11.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@moxarth-rathod moxarth-rathod

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:m365_defender Microsoft Defender XDR Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@moxarth-rathod @elasticmachine @kcreddy @andrewkroh