Microsoft Defender 1.4.0
- 22 May 2022
- 3 Minutes to read
- DarkLight
- PDF
Microsoft Defender 1.4.0
- Updated on 22 May 2022
- 3 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
tags: python | Microsoft Defender ATP | Enrichment
Description
Integration with Microsoft Defender ATP EDR is created to support CDC users by providing enrichment consisting of host, user, hash, IP, and vulnerability details. This enables CDC users to make informed decisions on incident response.
Microsoft Defender ATP is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.
We use customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI, to facilitate easy understanding of data received from Microsoft Defender ATP.
We have provided CLI commands to enrich basic host information, user information, hash, IP, and vulnerabilities information available on Microsoft Defender ATP. For complex queries, an investigation framework will be used.
| Integration Type: | Enrichment |
| Information read: | Host, user, file, IP, vulnerability information |
| API Supported: | API V1.0 |
| Input: | Device ID/Device Name/IP/CVE ID/Hash for enrichment |
| Output: | Detailed enrichment consisting of host/user/IP/hash/vulnerability information |
| Classification: | Public |
CDC Command Lines
- block_indicator_cli
CLI of the CDC to block an indicator entitiy.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| indicator_value | string | Identity of the Indicator entity. | True |
- get_file_information_cli
Command line interface of the CDC to retrieve a file by identifier Sha1 or Sha256.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| file_hash | string | Sha1 or Sha256. | True |
- get_ip_statistics_cli
Command line interface of the CDC for retrieving the statistics for the given IP.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| ip | string | Ip Address. | True |
| lookBackHours | integer | Look Back hours. The maximum value for look back hours is 720 hours (30days). | False |
- get_machine_by_id_cli
Command line interface of the CDC for retrieving a specific machine by its machine ID.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata | True |
| machine_id | string | Machine ID. | True |
- get_machine_by_ip_cli
The command line interface of the CDC for finding machines seen with the requested internal IP - in the time range of 15 minutes prior and after a given timestamp.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | Command metadata. | True |
| ip | string | IP address to get machine details. | True |
| timestamp | string | Timestamp to get machines within the time range. | True |
- get_user_related_machines_cli
The command line interface of the CDC for retrieving a collection of devices related to a given user ID. The input 'ID' is not the full UPN, but only the user name.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| user_id | string | User ID. The ID is not the full UPN, but only the user name. | True |
- get_vulnerability_by_id_cli
The command line interface of the CDC for retrieving vulnerability information by its CVE ID.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| cve_id | string | CVE id. | True |
- get_indicator_details_cli
Retrieves indicator details.
| Option | Type | Description | Required |
|---|---|---|---|
| metadata | object | command metadata | True |
| indicator_value | string | The identity of the Indicator entity. | True |
Workflows
automate_alert_closing
Closing MS Defender alerts.block_indicator
Block an indicator.inject_ms_defender_alert_to_cdc
Inject an MS Defender ATP alert to the CDC, using the CDC Async API.post_block_indicator
Post update-indicator in the CDC, by the ID of the incident/message/channel.post_get_file_information
Post get-file-information in the CDC, by the ID of the incident/message/channel.post_get_ip_statistics
Post get-ip-statistics in the CDC, by the ID of the incident/message/channel.post_get_machine_by_id
Post get-machine-by-id in the CDC, by the ID of the incident/message/channel.post_get_machine_by_ip
Post get-machine-by-ip in the CDC, by the ID of the incident/message/channel.post_get_user_related_machines
Post get-user-related-machines in the CDC, by the ID of the incident/message/channel.post_get_vulnerability_by_id
Post get-vulnerability-by-id in the CDC, by the ID of the incident/message/channel.post_get_indicator_details
Post get-indicator-details in the CDC, by the ID of the incident/message/channel.
Rules
close_cdc_alert_in_ms_defender
Close alerts in MS Defender.cdc_new_alert_from_ms_defender
Triggers injections of a new alert to the CDC workflow when created in Microsoft ATP Defender.
Sensors
- MsDefenderSensor
Sensor to pull reported detections from Microsoft Defender ATP.
Poll interval - 30s
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?