Skip to content

[m365_defender] Enhance ECS Mappings and Refactor the Dashboards#16676

Merged
mohitjha-elastic merged 6 commits intoelastic:mainfrom
mohitjha-elastic:m365_defender-extend-ecs
Jan 7, 2026
Merged

[m365_defender] Enhance ECS Mappings and Refactor the Dashboards#16676
mohitjha-elastic merged 6 commits intoelastic:mainfrom
mohitjha-elastic:m365_defender-extend-ecs

Conversation

@mohitjha-elastic
Copy link
Copy Markdown
Collaborator

@mohitjha-elastic mohitjha-elastic commented Dec 23, 2025
edited
Loading

Proposed commit message

m365_defender: Enhance ECS mappings and refactor Defender dashboards.

This change enhances ECS mappings across all datasets to improve field consistency and alignment. 
The dashboard navigation has been updated to support the links panel widget and reorganized by event 
types rather than ingestion method. Visualization titles were cleaned up by removing redundant 
“[Logs Microsoft Defender XDR]” text where possible, and dashboard names were updated for 
better clarity. The Alert dashboard was refactored to improve usability, including the addition of a 
saved search visualization. Unused screenshots were removed, and existing integration screenshots 
were updated to reflect the latest dashboard changes.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/m365_defender directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issues

Screenshots

Aleeettss Logs-Microsoft-Defender-XDR-App-Identity-Elastic-12-23-2025_01_10_PM Logs-Microsoft-Defender-XDR-Device-Elastic-12-23-2025_01_10_PM Logs-Microsoft-Defender-XDR-Vulnerability-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Incident-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Email-Elastic-12-23-2025_01_09_PM Logs-Microsoft-Defender-XDR-Alert-Elastic-12-23-2025_01_08_PM

@mohitjha-elastic mohitjha-elastic self-assigned this Dec 23, 2025
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Integration:m365_defender Microsoft Defender XDR Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Dec 23, 2025
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Dec 23, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@mohitjha-elastic mohitjha-elastic marked this pull request as ready for review December 23, 2025 10:33
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner December 23, 2025 10:33
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 23, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kcreddy kcreddy self-requested a review December 24, 2025 08:44
kcreddy
kcreddy reviewed Dec 26, 2025
View reviewed changes
Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
source: |
def processExecutable = new HashSet();
for (evidence in ctx.json.evidence) {
if (evidence?.image_file?.path != null && evidence?.image_file?.name != null) {
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (evidence?.image_file?.path != null && evidence?.image_file?.name != null) {
if (evidence?.image_file?.path != null && evidence.image_file.name != null) {

Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
ignore_missing: true
- script:
description: Set process.executable from evidence image_file path and name.
tag: script_set_process_executable_from_image_file
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's existing script processors for process and parent process: https://github.com/elastic/integrations/blob/main/packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml#L2449
Can you utilise them instead of a new one?

Copy link
Copy Markdown
Collaborator Author

@mohitjha-elastic mohitjha-elastic Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I felt there was limited reusable logic in that script, so I separated it to handle the process and parent process fields independently. While it could be merged into the existing script, doing so would make it longer and harder to understand. Keeping it separate improves readability and maintainability.

Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add new script near this existing one? We can have most process fields logic in one place.

Comment thread packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml
Comment thread packages/m365_defender/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated
Comment thread packages/m365_defender/img/m365_defender-alert-api.png
@mohitjha-elastic
Resolve review comments.
3ebaa79 
1. Update alert dashboard.
2. Remove custom duplicate fields of threat family in alert dataset.
3. Optimize the script to set process fields.
kcreddy
kcreddy reviewed Jan 6, 2026
View reviewed changes
Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml Outdated
ignore_missing: true
- script:
description: Set process.executable from evidence image_file path and name.
tag: script_set_process_executable_from_image_file
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add new script near this existing one? We can have most process fields logic in one place.

Comment thread packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2357 to +2369
for (evidence in ctx.json.evidence) {
if (evidence?.parent_process?.image_file?.path != null && evidence.parent_process.image_file.name != null) {
String path = evidence.parent_process.image_file.path;
String name = evidence.parent_process.image_file.name;
String separator = path.contains("\\") ? "\\" : "/";
if (!path.endsWith(separator)) {
path = path + separator;
}
processParentExecutable.add(path + name);
} else if (evidence?.parent_process?.image_file?.name != null) {
processParentExecutable.add(evidence.parent_process.image_file.name);
}
}
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic is same as above. Can we create a reusable function to improve maintainability?

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 7, 2026

💚 Build Succeeded

History

cc @mohitjha-elastic

kcreddy
kcreddy approved these changes Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@mohitjha-elastic mohitjha-elastic merged commit c44d59e into elastic:main Jan 7, 2026
8 checks passed
@mohitjha-elastic mohitjha-elastic deleted the m365_defender-extend-ecs branch January 7, 2026 09:14
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Jan 7, 2026

Package m365_defender - 5.5.0 containing this change is available at https://epr.elastic.co/package/m365_defender/5.5.0/

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

Category: Integration quality Category: Quality used for SI planning dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:m365_defender Microsoft Defender XDR Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

m365_defender: Dashboard improvements

4 participants

@mohitjha-elastic @elasticmachine @kcreddy @andrewkroh