From bd44f14dda36afe5adbae8bbd17741559a8c384b Mon Sep 17 00:00:00 2001
From: DumbBoi <shahzaibmalik76@gmail.com>
Date: Tue, 4 Mar 2025 12:02:58 +0500
Subject: [PATCH] adding doc and changelog

---
 CHANGELOG.next.asciidoc                              | 1 +
 x-pack/filebeat/module/microsoft/_meta/docs.asciidoc | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 8234289871a3..bb99c0ad1dee 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -431,6 +431,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403]
 - Add metrics for number of events and pages published by HTTPJSON input. {issue}42340[42340] {pull}42442[42442]
 - Add `etw` input fallback to attach an already existing session. {pull}42847[42847]
 - Update CEL mito extensions to v1.17.0. {pull}42851[42851]
+- Add Initial Interval for Microsoft Filesets (ATP, Defender) {pull}42309[42309]
 
 *Auditbeat*
 
diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
index 49b4c9e4cb1d..66835ad5bc50 100644
--- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc
@@ -77,6 +77,10 @@ A predefined URL towards the Oauth2 service for Microsoft. The URL should always
 
 A list of included scopes, should use .default unless different is specified.
 
+*`var.initial_interval`*::
+
+An initial interval can be defined. The first time the module starts, will fetch events from the current moment minus the initial interval value. Following restarts will fetch events starting from the last event read. It defaults to `55m`.
+
 [float]
 ==== 365 Defender ECS fields
 
@@ -153,6 +157,10 @@ The secret related to the client ID.
 
 A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL.
 
+*`var.initial_interval`*::
+
+An initial interval can be defined. The first time the module starts, will fetch events from the current moment minus the initial interval value. Following restarts will fetch events starting from the last event read. It defaults to `5m`.
+
 [float]
 ==== Defender ATP ECS fields