- 22 Dec 2022
- 3 Minutes to read
- DarkLight
- PDF
Microsoft Defender 1.7.0
- Updated on 22 Dec 2022
- 3 Minutes to read
- DarkLight
- PDF
tags: python | Microsoft Defender ATP | Enrichment
Description
Integration with Microsoft Defender ATP EDR is created to support CDC users by providing the enrichment consisting of details of host, user, hash, IP, and Vulnerability. This enables CDC users to make informed decision on incident response.
Microsoft Defender ATP is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It collects and visualizes comprehensive information about endpoint events, giving security professionals unparalleled visibility into IT environments.
We use customized adaptive cards to display host, user, hash, IP, and vulnerabilities-related information in a meaningful intuitive GUI, to facilitate easy understanding of data received from Microsoft Defender ATP.
We have provided CLI commands to enrich basic host information, user information, hash, IP, and Vulnerabilities information available on Microsoft Defender ATP. For complex queries, the Investigation framework will be used.
Integration Type: | EPP/ EDR |
Information read: | Host, User, File, IP, Vulnerability information |
API Supported: | API V1.0 |
Input: | Device ID/ Device Name/ IP/ CVE ID/ Hash for enrichment. |
Output: | Detailed enrichment consisting of host/user/IP/Hash/ Vulnerability information |
Customer Configuration
No Customer Configuration
CDC Command Lines
* **block_indicator_cli**
The CLI of the CDC to block an indicator entity.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
indicator_value | string | Identity of the Indicator entity. | True |
* **get_file_information_cli**
The CLI of the CDC to retrieve a file by identifier Sha1, or Sha256.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
file_hash | string | Sha1 or Sha256. | True |
* **get_indicator_details_cli**
Retrieves indicator details.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
indicator_value | string | Identity of the Indicator entity. | True |
* **get_ip_statistics_cli**
The CLI of the CDC, for retrieving the statistics for the given IP.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
ip | string | IP Address. | True |
lookBackHours | integer | Look Back hours. Maximum Value for Look back hours is 720 hours (30 days). | False |
* **get_machine_by_id_cli**
The CLI of the CDC, for retrieving a specific machine by its machine ID.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
machine_id | string | Machine ID. | True |
* **get_machine_by_ip_cli**
The CLI of the CDC, for finding machines seen with the requested internal IP - in the time range of 15 minutes prior and after a given timestamp.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
ip | string | IP address to get machine details. | True |
timestamp | string | Timestamp to get machines within a time range. | True |
* **get_user_related_machines_cli**
The CLI of the CDC, for retrieving a collection of devices related to a given user ID. The input 'ID' is not the full UPN, but only the user name.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
user_id | string | User ID. The ID is not the full UPN, but only the user name. | True |
* **get_vulnerability_by_id_cli**
The CLI of the CDC, for retrieving vulnerability information by its CVE ID.
Option | Type | Description | Required |
---|---|---|---|
metadata | object | command metadata | True |
cve_id | string | CVE ID. | True |
Workflows
* **automate_alert_closing**
Closing MS Defender alerts.
* **block_indicator**
Block an indicator.
* **inject_ms_defender_alert_to_cdc**
Inject MS Defender ATP alert to the CDC, using the CDC async API.
* **post_block_indicator**
Post update-indicator in the CDC, by the ID of the incident/message/channel.
* **post_get_file_information**
Post get-file-information in the CDC, by the ID of the incident/message/channel.
* **post_get_indicator_details**
Post get-indicator-details in the CDC, by the ID of the incident/message/channel.
* **post_get_ip_statistics**
Post get-ip-statistics in the CDC, by the ID of the incident/message/channel.
* **post_get_machine_by_id**
Post get-machine-by-id in the CDC, by the ID of the incident/message/channel.
* **post_get_machine_by_ip**
Post get-machine-by-ip in the CDC, by the ID of the incident/message/channel.
* **post_get_user_related_machines**
Post get-user-related-machines in the CDC, by the ID of the incident/message/channel.
* **post_get_vulnerability_by_id**
Post get-vulnerability-by-id in the CDC, by the ID of the incident/message/channel.
Rules
* **close_cdc_alert_in_ms_defender**
Close alerts in MS Defender.
* **cdc_new_alert_from_ms_defender**
Triggers injections of a new alert to the CDC workflow when created in Microsoft ATP Defender.
Sensors
* **MsDefenderSensor**
Sensor to pull reported detections from Microsoft Defender ATP.
Poll interval - 30s
Triggers
No triggers
Known Issues
No known issues