elastic
diff --git a/‎filebeat/docs/images/filebeat-defender-atp-overview.png‎
166 KB b/‎filebeat/docs/images/filebeat-defender-atp-overview.png‎
166 KB
diff --git a/‎filebeat/docs/modules/microsoft.asciidoc‎
Lines changed: 38 additions & 16 deletions b/‎filebeat/docs/modules/microsoft.asciidoc‎
Lines changed: 38 additions & 16 deletions
diff --git a/‎x-pack/filebeat/module/microsoft/_meta/docs.asciidoc‎
Lines changed: 38 additions & 16 deletions b/‎x-pack/filebeat/module/microsoft/_meta/docs.asciidoc‎
Lines changed: 38 additions & 16 deletions
@@ -6,6 +6,7 @@ This file is generated! See scripts/docs_collector.py
 [role="xpack"]
 
 :modulename: microsoft
+:has-dashboards: true
 
 == Microsoft module
 
@@ -14,19 +15,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
 - `defender_atp` fileset: Supports Microsoft Defender ATP
 - `dhcp` fileset: Supports Microsoft DHCP logs
 
-include::../include/gs-link.asciidoc[]
-
-[float]
-=== Compatibility
+include::../include/what-happens.asciidoc[]
 
-Currently this module supports Microsoft Defender ATP.
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: defender_atp
 
 include::../include/config-option-intro.asciidoc[]
 
+[float]
+==== `defender_atp` fileset settings
+
+beta[]
+
 To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.
 
 The procedure to create an application is found on the below link:
@@ -39,12 +42,11 @@ After the application has been created, it should contain 3 values that you need
 
 These values are:
 
-Client ID
-Client Secret
-Tenant ID
+- Client ID
+- Client Secret
+- Tenant ID
 
-[float]
-==== `defender_atp` fileset settings
+Example config:
 
 [source,yaml]
 ----
@@ -56,8 +58,6 @@ Tenant ID
     var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
 ----
 
-include::../include/var-paths.asciidoc[]
-
 *`var.oauth2.client.id`*::
 
 This is the client ID related to creating a new application on Azure.
@@ -76,7 +76,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
 This is a list of Defender ATP fields that are mapped to ECS.
 
 [options="header"]
-|======================================================================|
+|======================================================================
 | Defender ATP Fields                 | ECS Fields                     |
 | alertCreationTime                   | @timestamp                     |
 | aadTenantId                         | cloud.account.id               |
@@ -102,11 +102,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
 | relatedUser.domainName              | host.user.domain               |
 | title                               | message                        |
 | severity                            | event.severity                 |
-|======================================================================|
+|======================================================================
 
-== Microsoft module
+:has-dashboards!:
 
-experimental[]
+[float]
+=== Dashboards
+
+This module comes with a sample dashboard for Defender ATP.
+
+[role="screenshot"]
+image::./images/filebeat-defender-atp-overview.png[]
+
+The best way to view Defender ATP events and alert data is in the SIEM. 
+
+[role="screenshot"]
+image::./images/siem-alerts-cs.jpg[]
+
+[float]
+For alerts, go to Detections -> External alerts.
+
+[role="screenshot"]
+image::./images/siem-events-cs.jpg[]
+
+[float]
+And for all other Defender ATP event types, go to Host -> Events.
 
 :fileset_ex: dhcp
 
@@ -117,6 +137,8 @@ experimental[]
 
 NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.
 
+include::../include/var-paths.asciidoc[]
+
 *`var.input`*::
 
 The input from which messages are read. One of `file`, `tcp` or `udp`.
 
@@ -1,6 +1,7 @@
 [role="xpack"]
 
 :modulename: microsoft
+:has-dashboards: true
 
 == Microsoft module
 
@@ -9,19 +10,21 @@ This is a module for ingesting data from the different Microsoft Products. Curre
 - `defender_atp` fileset: Supports Microsoft Defender ATP
 - `dhcp` fileset: Supports Microsoft DHCP logs
 
-include::../include/gs-link.asciidoc[]
-
-[float]
-=== Compatibility
+include::../include/what-happens.asciidoc[]
 
-Currently this module supports Microsoft Defender ATP.
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: defender_atp
 
 include::../include/config-option-intro.asciidoc[]
 
+[float]
+==== `defender_atp` fileset settings
+
+beta[]
+
 To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain.
 
 The procedure to create an application is found on the below link:
@@ -34,12 +37,11 @@ After the application has been created, it should contain 3 values that you need
 
 These values are:
 
-Client ID
-Client Secret
-Tenant ID
+- Client ID
+- Client Secret
+- Tenant ID
 
-[float]
-==== `defender_atp` fileset settings
+Example config:
 
 [source,yaml]
 ----
@@ -51,8 +53,6 @@ Tenant ID
     var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token"
 ----
 
-include::../include/var-paths.asciidoc[]
-
 *`var.oauth2.client.id`*::
 
 This is the client ID related to creating a new application on Azure.
@@ -71,7 +71,7 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
 This is a list of Defender ATP fields that are mapped to ECS.
 
 [options="header"]
-|======================================================================|
+|======================================================================
 | Defender ATP Fields                 | ECS Fields                     |
 | alertCreationTime                   | @timestamp                     |
 | aadTenantId                         | cloud.account.id               |
@@ -97,11 +97,31 @@ This is a list of Defender ATP fields that are mapped to ECS.
 | relatedUser.domainName              | host.user.domain               |
 | title                               | message                        |
 | severity                            | event.severity                 |
-|======================================================================|
+|======================================================================
 
-== Microsoft module
+:has-dashboards!:
 
-experimental[]
+[float]
+=== Dashboards
+
+This module comes with a sample dashboard for Defender ATP.
+
+[role="screenshot"]
+image::./images/filebeat-defender-atp-overview.png[]
+
+The best way to view Defender ATP events and alert data is in the SIEM. 
+
+[role="screenshot"]
+image::./images/siem-alerts-cs.jpg[]
+
+[float]
+For alerts, go to Detections -> External alerts.
+
+[role="screenshot"]
+image::./images/siem-events-cs.jpg[]
+
+[float]
+And for all other Defender ATP event types, go to Host -> Events.
 
 :fileset_ex: dhcp
 
@@ -112,6 +132,8 @@ experimental[]
 
 NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99.
 
+include::../include/var-paths.asciidoc[]
+
 *`var.input`*::
 
 The input from which messages are read. One of `file`, `tcp` or `udp`.