[Internal]: Analyzer support for MDE

[natasha-moore-elastic]

Description

• Sub-issue of [Internal]: Analyzer support for 3rd party EDRs #2024, which tracked work for CrowdStrike and SentinelOne. Per that issue:

support for Microsoft Defender for Endpoint (MDE) is planned for the 9.2 release.

Technical details

From Slack conversation with @tomsonpl, for events collected through the MDE integration, agent.type is filebeat and event.module is microsoft_defender_endpoint.

KQL search filter for these events should be: agent.type: "filebeat" and event.module: "microsoft_defender_endpoint" and process.entity_id : *

Resources

https://github.com/elastic/security-team/issues/11591

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

9.2

Serverless release

TBD

Collaboration model

The documentation team

Point of contact.

Main contact: : @raqueltabuyo @dasansol92

Stakeholders:: @cpascale43 @tomsonpl @caitlinbetz

[natasha-moore-elastic]

Hey @tomsonpl, do we have an ETA on when this will be released in serverless?