-
Notifications
You must be signed in to change notification settings - Fork 1
New Defender Plugin #55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
jame2O
wants to merge
22
commits into
main
Choose a base branch
from
work/jd/defender
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
1ac93de
feat: initial commit
jame2O 44dab77
feat: basic test button
jame2O 46cf8de
feat: Alerts data stream
jame2O 03c6f1c
chore: add none timeframe to defender
jame2O 9f5145f
feat: graph plugin
jame2O 5ac42fb
chore: delete old plugin
jame2O 6e0c295
chore: add manual config apply to hunting query
jame2O 1063f37
chore: manual config apply for alerts and incidents
jame2O 284da4c
chore: rename Defender Device source type to device
jame2O 6b97fb0
feat: update device status OOB dash
jame2O 9b0ff1b
chore: update metadata
jame2O ab26377
fix: update 'New' Status val
jame2O 936311c
chore: update alerts metadata
jame2O 23c954a
chore: update devices metadata
jame2O 9da3a2b
fix: hide undefined columns in meta devices
jame2O b86e2df
chore: update timeframe options for incidents and alerts
jame2O e258150
fix: remove bad options
jame2O c3a730d
chore: move timeframe fields to timeframe tab
jame2O 655b37a
chore: add recommendations metadata
jame2O c7cbf84
chore: add SSH metadata
jame2O 92bcf5e
Update plugins/MicrosoftDefender/v1/configValidation.json
jame2O cb761ec
Update plugins/MicrosoftDefender/v1/configValidation.json
jame2O File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| { | ||
| "steps": [ | ||
| { | ||
| "displayName": "API Access", | ||
| "dataStream": { | ||
| "name": "validation" | ||
| }, | ||
| "success": "Successfully connected to Endpoint", | ||
| "error": "Cannot access the Endpoint API - check your client ID, secret and permissions.", | ||
| "required": true | ||
| } | ||
| ] | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| [ | ||
| { | ||
| "name": "device", | ||
| "sourceType": "device", | ||
| "icon": "server", | ||
| "singular": "Device", | ||
| "plural": "Devices" | ||
| } | ||
| ] |
44 changes: 44 additions & 0 deletions
44
plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "name": "Vulnerabilities", | ||
| "displayName": "Vulnerabilities", | ||
| "baseDataSourceName": "httpRequestScoped", | ||
| "config": { | ||
| "httpMethod": "post", | ||
| "errorHandling": { | ||
| "type": "default" | ||
| }, | ||
| "paging": { | ||
| "mode": "none" | ||
| }, | ||
| "expandInnerObjects": true, | ||
| "endpointPath": "runHuntingQuery", | ||
| "postBody": { | ||
| "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}})", | ||
| "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" | ||
| }, | ||
| "pathToData": "results", | ||
| "getArgs": [], | ||
| "headers": [] | ||
| }, | ||
| "metadata": [ | ||
| { | ||
| "sourceId": "DeviceId", | ||
| "name": "DeviceName", | ||
| "shape": "string", | ||
| "role": "label", | ||
| "sourceType": "device" | ||
| }, | ||
| { | ||
| "pattern": ".*" | ||
| } | ||
| ], | ||
| "matches": { | ||
| "sourceType": { | ||
| "type": "equals", | ||
| "value": "device" | ||
| } | ||
| }, | ||
| "timeframes": false, | ||
| "providesPluginDiagnostics": true, | ||
| "tags": [] | ||
| } |
51 changes: 51 additions & 0 deletions
51
plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| { | ||
| "name": "advancedHuntingQuery", | ||
| "displayName": "Advanced Hunting Query", | ||
| "baseDataSourceName": "httpRequestUnscoped", | ||
| "config": { | ||
| "httpMethod": "post", | ||
| "errorHandling": { | ||
| "type": "default" | ||
| }, | ||
| "paging": { | ||
| "mode": "none" | ||
| }, | ||
| "expandInnerObjects": true, | ||
| "endpointPath": "runHuntingQuery", | ||
| "postBody": { | ||
| "Query": "{{query}}", | ||
| "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" | ||
| }, | ||
| "pathToData": "results", | ||
| "getArgs": [], | ||
| "headers": [] | ||
| }, | ||
| "timeframes": [ | ||
| "last1hour", | ||
| "last12hours", | ||
| "last24hours", | ||
| "last7days", | ||
| "last30days", | ||
| "thisMonth", | ||
| "thisQuarter", | ||
| "thisYear", | ||
| "lastMonth", | ||
| "lastQuarter", | ||
| "lastYear" | ||
| ], | ||
| "supportsNoneTimeframe": true, | ||
| "providesPluginDiagnostics": true, | ||
| "manualConfigApply": true, | ||
| "tags": [], | ||
| "ui": [ | ||
| { | ||
| "name": "query", | ||
| "language": "kusto", | ||
| "label": "Query", | ||
| "type": "code", | ||
| "validation": { | ||
| "required": true | ||
| } | ||
| } | ||
| ] | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,221 @@ | ||
| { | ||
| "name": "alerts", | ||
| "displayName": "Alerts", | ||
| "baseDataSourceName": "httpRequestUnscoped", | ||
| "config": { | ||
| "httpMethod": "get", | ||
| "errorHandling": { | ||
| "type": "default" | ||
| }, | ||
| "paging": { | ||
| "mode": "nextUrl", | ||
| "pageSize": { | ||
| "realm": { | ||
| "value": "none", | ||
| "label": "none" | ||
| } | ||
| }, | ||
| "in": { | ||
| "realm": { | ||
| "value": "payload", | ||
| "label": "payload" | ||
| }, | ||
| "path": "@odata.nextLink" | ||
| } | ||
| }, | ||
| "expandInnerObjects": true, | ||
| "endpointPath": "alerts_v2", | ||
| "pathToData": "value", | ||
| "getArgs": [ | ||
| { | ||
| "key": "$filter", | ||
| "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}" | ||
| } | ||
| ], | ||
| "headers": [] | ||
| }, | ||
| "metadata": [ | ||
| { | ||
| "name": "title", | ||
| "displayName": "Title", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "systemTags", | ||
| "displayName": "System Tags", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "severity", | ||
| "displayName": "Severity", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "status", | ||
| "displayName": "Status", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "category", | ||
| "displayName": "Category", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "detectionSource", | ||
| "displayName": "Detection Source", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "firstActivityDateTime", | ||
| "displayName": "First Activity", | ||
| "shape": "date", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "lastActivityDateTime", | ||
| "displayName": "Last Activity", | ||
| "shape": "date", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "classification", | ||
| "displayName": "Classification", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "determination", | ||
| "displayName": "Determination", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "name": "assignedTo", | ||
| "displayName": "Assigned To", | ||
| "shape": "string", | ||
| "role": "label" | ||
| }, | ||
| { | ||
| "pattern": ".*", | ||
| "visible": false | ||
| } | ||
| ], | ||
| "timeframes": [ | ||
| "last1hour", | ||
| "last12hours", | ||
| "last24hours", | ||
| "last7days", | ||
| "last30days", | ||
| "thisMonth", | ||
| "thisQuarter", | ||
| "thisYear", | ||
| "lastMonth", | ||
| "lastQuarter", | ||
| "lastYear" | ||
| ], | ||
| "supportsNoneTimeframe": true, | ||
| "manualConfigApply": true, | ||
| "providesPluginDiagnostics": true, | ||
| "tags": [], | ||
| "ui": [ | ||
| { | ||
| "name": "severity", | ||
| "label": "Severity", | ||
| "type": "autocomplete", | ||
| "data": { | ||
| "source": "fixed", | ||
| "values": [ | ||
| { | ||
| "value": "low", | ||
| "label": "Low" | ||
| }, | ||
| { | ||
| "value": "medium", | ||
| "label": "Medium" | ||
| }, | ||
| { | ||
| "value": "high", | ||
| "label": "High" | ||
| }, | ||
| { | ||
| "value": "informational", | ||
| "label": "Informational" | ||
| }, | ||
| { | ||
| "value": "unknown", | ||
| "label": "Unknown" | ||
| }, | ||
| { | ||
| "value": "unknownFutureValue", | ||
| "label": "Unknown Future Value" | ||
| } | ||
| ] | ||
| }, | ||
| "isClearable": true | ||
| }, | ||
| { | ||
| "name": "status", | ||
| "label": "Status", | ||
| "type": "autocomplete", | ||
| "data": { | ||
| "source": "fixed", | ||
| "values": [ | ||
| { | ||
| "value": "newAlert", | ||
| "label": "New" | ||
| }, | ||
| { | ||
| "value": "inProgress", | ||
| "label": "In Progress" | ||
| }, | ||
| { | ||
| "value": "resolved", | ||
| "label": "Resolved" | ||
| }, | ||
| { | ||
| "value": "unknown", | ||
| "label": "Unknown" | ||
| }, | ||
| { | ||
| "value": "unknownFutureValue", | ||
| "label": "Unknown Future Value" | ||
| } | ||
| ] | ||
| }, | ||
| "isClearable": true | ||
| }, | ||
| { | ||
| "tileEditorStep": ["Timeframe"], | ||
| "isMulti": false, | ||
| "help": "Select the column to apply the timeframe", | ||
| "data": { | ||
| "source": "fixed", | ||
| "values": [ | ||
| { | ||
| "value": "createdDateTime", | ||
| "label": "Creation Time" | ||
| }, | ||
| { | ||
| "value": "lastActivityDateTime", | ||
| "label": "Last Activity Time" | ||
| }, | ||
| { | ||
| "value": "lastUpdateDateTime", | ||
| "label": "Last Update Time" | ||
| } | ||
| ] | ||
| }, | ||
| "defaultValue": "createdDateTime", | ||
| "name": "timeframeCol", | ||
| "label": "Timeframe Column", | ||
| "type": "autocomplete", | ||
| "isClearable": false | ||
| } | ||
| ] | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this field show on the Timeframe tab? You can use
tileEditorStepto set thisThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's what I'm after! thanks