{m365_defender,microsoft_defender_endpoint}: Add mapping and transform for CDR workflows (#14809)

Add support for CDR Cloud Native Vulnerability Management (CNVM)[1] workflow by 
adding necessary mappings and latest transform.

Also fixes agent degradation from httpjson's empty cursor happening in 
log data stream using "ignore_empty_value". Similar to [2].

[1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html
[2] #14525

Author: kcreddy

packages/m365_defender/_dev/build/docs/README.md

@@ -73,12 +73,14 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 
 ## Setup
 
-### Follow the steps below to configure data collection from Microsoft sources:
+Follow the steps below to configure data collection from Microsoft sources.
 
 ### 1. Collecting Data from Microsoft Azure Event Hub
+
 - [Configure Microsoft Defender XDR to stream Advanced Hunting events to your Azure Event Hub](https://learn.microsoft.com/en-us/defender-xdr/streaming-api-event-hub?view=o365-worldwide).
 
 ### 2. Collecting Data from Microsoft Graph Security v1.0 REST API (for Incidents & Alerts)
+
 - [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0).
 - Assign the required permission: **SecurityIncident.Read.All**. See more details [here](https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0).
 - Once the application is registered, note the following values for use during configuration:
@@ -87,6 +89,7 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
   - Tenant ID
 
 ### 3. Collecting Data from Microsoft Defender for Endpoint API (for Vulnerabilities)
+
 - [Register a new Azure Application](https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0).
 - Assign the required permissions: 
   - **Vulnerability.Read.All** See more details [here](https://learn.microsoft.com/en-us/defender-endpoint/api/get-all-vulnerabilities#permissions).
@@ -96,10 +99,11 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
   - Client Secret
   - Tenant ID
 
-### Data Retention and ILM Configuration
-A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we’ve set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control.
+#### Data Retention and ILM Configuration
+
+A full sync pulls in a large volume of data, which can lead to storage issues or index overflow over time. To avoid this, we have set up an Index Lifecycle Management (ILM) policy that automatically deletes data older than 7 days. This helps keep storage usage under control.
 
-> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index`
+> **Note:** The user or service account associated with the integration must have the following **index privileges** on the relevant index have the following permissions `delete`, `delete_index`.
 
 ## Alert severity mapping
 

packages/m365_defender/changelog.yml

@@ -1,4 +1,11 @@
 # newer versions go on top
+- version: "4.0.0"
+  changes:
+    - description: |
+       Add mapping changes and latest transform in `vulnerability` data stream for 
+       Cloud Detection and Response (CDR) vulnerability workflow.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/14809
 - version: "3.14.2"
   changes:
     - description: Fix handling of empty string IP values.

packages/m365_defender/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log

@@ -3,3 +3,4 @@
 {"affectedMachine":null,"id":"CVE-2025-47828","name":"CVE-2025-47828","description":"Summary: The Lumi H5P-Nodejs-library versions prior to 2025-04-05 are vulnerable to cross-site scripting (XSS) due to the omission of a sanitizeHtml call for plain text strings. This flaw allows remote attackers to execute arbitrary scripts in a victims browser by leveraging specially crafted URLs. Impact: Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as cookie-based authentication credentials, and compromise the security context of the hosting website. AdditionalInformation: Ensure awareness of the affected versions and the nature of the vulnerability for proper risk assessment. Remediation: Upgrade to @Lumieducation/H5p-Server @Lumieducation/H5p-Server version later than 2024-04-05. [Generated by AI]","severity":"Medium","cvssV3":6.4,"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C","exposedMachines":0,"publishedOn":"2025-05-11T00:00:00Z","updatedOn":"2025-05-12T20:50:07Z","firstDetected":null,"patchFirstAvailable":null,"publicExploit":false,"exploitVerified":false,"exploitInKit":false,"exploitTypes":[],"exploitUris":[],"cveSupportability":"NotSupported","tags":[],"epss":0.00029}
 {"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}
 {"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":null},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}
+{"affectedMachine":{"aadDeviceId":"d78dc223-8dc8-4210-9700-019b3b03505b","agentVersion":"10.8792.19045.5737","computerDnsName":"c-lab-08","cveId":"TVM-2020-0002","deviceValue":"Normal","exclusionReason":null,"exposureLevel":"Low","firstSeen":"2024-11-05T11:54:59.5717001Z","fixingKbId":null,"healthStatus":"Active","id":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d-_-TVM-2020-0002-_-vmware-_-tools-_-12.0.6.0-_-","ipAddresses":[{"ipAddress":"216.160.83.56","macAddress":"00505683B880","operationalStatus":"Up","type":"Ethernet"}],"isAadJoined":true,"isExcluded":false,"isPotentialDuplication":false,"lastExternalIpAddress":"67.43.156.0","lastIpAddress":"89.160.20.128","lastSeen":"2025-04-22T05:48:04.7550736Z","machineId":"0e23b8b23f6dc0e9d84846f877b45d19c04a522d","machineTags":["test tag 1"],"managedBy":"Intune","managedByStatus":"Unknown","mergedIntoMachineId":null,"onboardingStatus":"Onboarded","osArchitecture":"64-bit","osBuild":19045,"osPlatform":"Windows10","osProcessor":"x64","osVersion":null,"productName":"tools","productVendor":"vmware","productVersion":"12.0.6.0","rbacGroupId":0,"rbacGroupName":null,"riskScore":"None","severity":"High","version":"22H2","vmMetadata":{"cloudProvider":"Azure","resourceId":"/subscriptions/e1685f98-517c-4ffe-b7d5-d6cb9d563ec2/resourceGroups/R15_Sentinel/providers/Microsoft.HybridCompute/machines/C-Lab-10","subscriptionId":"e1685f98-517c-4ffe-b7d5-d6cb9d563ec2","vmId":"ecdc774f-45b4-4e33-97c8-f777e134131a"}},"cveSupportability":"Supported","cvssV3":7,"cvssVector":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","description":"Summary: VMware Tools and Open Virtual Machine Tools are vulnerable to a local privilege escalation vulnerability. An attacker with local non-administrative access to the Guest OS can exploit this vulnerability to escalate privileges as a root user in the virtual machine. Impact: If exploited, this vulnerability could allow a malicious actor to gain elevated privileges on the system, potentially leading to unauthorized access, data theft, or further compromise of the virtual machine. AdditionalInformation: TVM-2020-0002 is associated with this vulnerability. It is recommended to refer to the CVE page for more details, including the impact, CVSS score, and acknowledgments. Remediation: Apply the latest patches and updates provided by the respective vendors. [Generated by AI]","epss":0.00053,"exploitInKit":false,"exploitTypes":["PrivilegeEscalation"],"exploitUris":[],"exploitVerified":false,"exposedMachines":12,"firstDetected":"2025-01-01T08:22:58Z","id":"TVM-2020-0002","name":"TVM-2020-0002","patchFirstAvailable":null,"publicExploit":false,"publishedOn":"2022-08-23T00:00:00Z","severity":"High","tags":[],"updatedOn":"2024-12-10T00:00:00Z"}