Microsoft Defender 1.6.3

Microsoft Defender - 1.6.3

tags: python | Microsoft Defender ATP | Enrichment

Table of Contents

• Description
• Customer Configuration
• CDC Command Lines
• Workflows
• Rules
• Sensors
• Triggers
• Known Issues

Description

Integration with Microsoft Defender ATP EDR is created to support CDC users by providing the enrichment consisting of details of host, user, hash, IP, Vulnerability; which enable CDC users to take an informed decision in incident response.

Microsoft Defender ATP is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.

We use customized adaptive cards to display host, user, hash, IP, vulnerabilities related information in meaningful intuitive GUI, to facilitate easy understanding of data received from Microsoft Defender ATP.

We have provided CLI commands to enrich basic host information, user information, hash, IP, Vulnerabilities information available on Microsoft Defender ATP. For complex queries - Investigation framework will be used.

Customer Configuration

No Customer Configuration

CDC Command Lines

* **block_indicator_cli**
CLI of the CDC to block an indicator entitiy.

* **get_file_information_cli**
Command line interface of CDC to Retrieve a File by identifier Sha1, or Sha256. Note

* **get_indicator_details_cli**
Retrieves indicator details.

* **get_ip_statistics_cli**
Command line interface of CDC for Retrieving the statistics for the given IP. Please Note

* **get_machine_by_id_cli**
Command line interface of CDC for retrieving specific Machine by its machine ID.

* **get_machine_by_ip_cli**
Command line interface of CDC for finding Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp. Please note

* **get_user_related_machines_cli**
Command line interface of CDC for retrieving a collection of devices related to a given user ID. The input 'ID' is not the full UPN, but only the user name.

* **get_vulnerability_by_id_cli**
Command line interface of CDC for retrieving vulnerability information by its CVE ID.

Workflows

* **automate_alert_closing**
closing MS Defender alerts

* **block_indicator**
Block an indicator.

* **inject_ms_defender_alert_to_cdc**
Inject MS Defender ATP alert to cdc using cdc async api.

* **post_block_indicator**
Post update-indicator in CDC by ID of incident/message/chanel.

* **post_get_file_information**
Post get-file-information in CDC by ID of incident/message/chanel.

* **post_get_indicator_details**
Post get-indicator-details in CDC by ID of incident/message/chanel.

* **post_get_ip_statistics**
Post get-ip-statistics in CDC by ID of incident/message/chanel.

* **post_get_machine_by_id**
Post get-machine-by-id in CDC by ID of incident/message/chanel.

* **post_get_machine_by_ip**
Post get-machine-by-ip in CDC by ID of incident/message/chanel.

* **post_get_user_related_machines**
Post get-user-related-machines in CDC by ID of incident/message/chanel.

* **post_get_vulnerability_by_id**
Post get-vulnerability-by-id in CDC by ID of incident/message/chanel.

Rules

* **close_cdc_alert_in_ms_defender**
Close Alerts in MS Defender

* **cdc_new_alert_from_ms_defender**
Triggers injections of a new alert to CDC workflow when created in Microsoft ATP Defender.

Sensors

* **MsDefenderSensor**
Sensor to pull reported detections from Microsoft Defender ATP.

Poll interval - 30s

Triggers

No triggers

Known Issues

No issues