Microsoft Defender 1.4.2

Microsoft Defender - 1.4.2

tags: python | Microsoft Defender ATP | Enrichment

Table of Contents

• Description
• CDC Command Lines
• Workflows
• Rules
• Sensors
• Triggers
• Known Issues

Description

Integration with Microsoft Defender ATP EDR is created to support CDC users by providing the enrichment consisting of details of host, user, hash, IP, Vulnerability; which enable CDC users to take an informed decision in incident response.

Microsoft Defender ATP is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.

We use customized adaptive cards to display host, user, hash, IP, vulnerabilities related information in meaningful intuitive GUI, to facilitate easy understanding of data received from Microsoft Defender ATP.

We have provided CLI commands to enrich basic host information, user information, hash, IP, Vulnerabilities information available on Microsoft Defender ATP. For complex queries - Investigation framework will be used.

CDC Command Lines

• block_indicator_cli
  CLI of the CDC to block an indicator entitiy.

• get_file_information_cli
  Command line interface of CDC to Retrieve a File by identifier Sha1, or Sha256. Note

• get_ip_statistics_cli
  Command line interface of CDC for Retrieving the statistics for the given IP. Please Note

• get_machine_by_id_cli
  Command line interface of CDC for retrieving specific Machine by its machine ID.

• get_machine_by_ip_cli
  Command line interface of CDC for finding Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp. Please note

• get_user_related_machines_cli
  Command line interface of CDC for retrieving a collection of devices related to a given user ID. The input 'ID' is not the full UPN, but only the user name.

• get_vulnerability_by_id_cli
  Command line interface of CDC for retrieving vulnerability information by its CVE ID.

• get_indicator_details_cli
  Retrieves indicator details.

Workflows

• automate_alert_closing
  closing MS Defender alerts

• block_indicator
  Block an indicator.

• inject_ms_defender_alert_to_cdc
  Inject MS Defender ATP alert to cdc using cdc async api.

• post_block_indicator
  Post update-indicator in CDC by ID of incident/message/chanel.

• post_get_file_information
  Post get-file-information in CDC by ID of incident/message/chanel.

• post_get_ip_statistics
  Post get-ip-statistics in CDC by ID of incident/message/chanel.

• post_get_machine_by_id
  Post get-machine-by-id in CDC by ID of incident/message/chanel.

• post_get_machine_by_ip
  Post get-machine-by-ip in CDC by ID of incident/message/chanel.

• post_get_user_related_machines
  Post get-user-related-machines in CDC by ID of incident/message/chanel.

• post_get_vulnerability_by_id
  Post get-vulnerability-by-id in CDC by ID of incident/message/chanel.

• post_get_indicator_details
  Post get-indicator-details in CDC by ID of incident/message/chanel.

Rules

• close_cdc_alert_in_ms_defender
  Close Alerts in MS Defender

• cdc_new_alert_from_ms_defender
  Triggers injections of a new alert to CDC workflow when created in Microsoft ATP Defender.

Sensors

• MsDefenderSensor
  Sensor to pull reported detections from Microsoft Defender ATP.

Poll interval - 30s

Triggers

No triggers

Known Issues

No issues