{microsoft_defender_endpoint, m365_defender}: vulnerability data stream scaling problem

[kcreddy]

microsoft_defender_endpoint.vulnerability and m365_defender.vulnerability data streams consume huge memory while retrieving larger workloads.

The current approach retrieves all software vulnerabilities in user's environment by pulling data from 3 APIs before combining them, which isn't scalable.
APIs endpoints used inside the CEL program are:

• /api/vulnerabilities/machinesVulnerabilities: Data retrieved is proportional to number of machines and softwares installed on them.
• /api/machines: Data retrieved is proportional to number of machines.
• /api/vulnerabilities: Data retrieved contains all known vulnerabilities.

Even for medium workloads (few thousand machines and/or softwares installed), the CEL input can hang without indexing the data.
Instead of pulling data from 3 APIs and combining them inside CEL program, a single API: Export software vulnerabilities assessment (via files) can fetch all software vulnerabilities from user's machines, and is the preferred approach:

This API solution enables pulling larger amounts of data faster and more reliably. Via-files is recommended for large organizations, with more than 100-K devices.

Moving to this new API there will be some fields missed from previous approach (event combining 3 APIs). But these missing fields wouldn't break the Security Vulnerabilities workflow. See #15521 (comment) for details on missing fields.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

In the existing implementation (3 APIs approach), we have following ECS fields being populated:

• related.hosts
• host.hostname
• host.name
• resource.name (extended)
• event.id
• related.ip
• host.ip
• host.geo
• host.id
• resource.id (extended)
• host.os.platform
• host.os.type
• host.architecture
• ackage.name
• package.version
• group.id
• group.name
• host.risk.calculated_level
• host.os.version
• host.os.name
• cloud.provider
• cloud.resource_id
• cloud.instance.id
• vulnerability.score.base
• vulnerability.classification
• vulnerability.scanner.vendor
• vulnerability.description
• message
• vulnerability.id
• vulnerability.reference
• vulnerability.enumeration
• vulnerability.title
• vulnerability.published_date
• vulnerability.severity

In the new approach (new API), we would be missing following fields:

• cloud.provider
• cloud.resource_id
• cloud.instance.id
• host.geo
• host.ip
• host.risk.calculated_level
• related.ip
• vulnerability.description
• vulnerability.published_date
• vulnerability.score.version

Also, these fields will be updated:

• message updated from vulnerability.description to CveBatchTitle

Sample logs are in this PR's pipeline tests: #15603

cc: @narph @jamiehynds @cpascale43

[nicpenning]

I think I was bit by this.

I have been trying to get this to work and I couldn't ever get a single document to ingest. It seems to timeout or take to long before I just shut the integration off and move on. How much is a big work load? Around 10K endpoints? I know my secrets/urls are valid since I can do this with PowerShell in less than a few seconds. Also, has this worked successfully with GCC environments? I know the URLs are different and I supplied them accordingly, but perhaps it would be wise to have examples of some other common URLs for easier onboarding.

Good to see this is going to get taken care of!

Lastly it would be really good to have a note about this issue for others that may experience the same thing :)