MSDefenderEndpoints
README
With this responder you can
- Isolate machine
- Unisolate machine
- Run full antivirus scan
- Push IoC to Microsoft defender
- Alert
- BlockAndAlert
- (future: Collect investigation package)
NOTE: Microsft API for finding machines via IP-addresses is little bit limited "Find Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.", because of this "hostname" is preferable observable type"
Responder needs one of the following licenses:
- Windows 10 Enterprise E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 E5 Security
In general, you’ll need to take the following steps to use the responder
- Create an Azure AD application
- Grant permissions to App
Steps
With your Global administrator credentials, login to the Azure portal.
* Azure Active Directory > App registrations > New registration.
In the registration form:
- Name - Name your application.
- Supported account type – leave the default setting.
- Redirect Uri – leave empty.
API permission
On your new application page, click API Permissions > Add permission > APIs my organization uses > type WindowsDefenderATP and click on WindowsDefenderATP
Choose Application permissions, select Alert.Read.All AND TI.ReadWrite.All AND Machine.ReadAll AND Machine.Isolate AND Machine.Scan > Click on Add permissions.
After clicking the Add Permissions button, on the next screen we need to grant consent for the permission to take effect.
Press the "Grant admin consent for {your tenant name}" button.
To get client credentials:
- In your application page, Click Certificate & Secrets
- Specify a key description and set an expiration for 1 year.
- Click Add and the application key will appear.
IMPORTANT: Copy and store this key in a safe place. Treat it like a password.
Detailed permissions:
How to create Azure App (link to MS blog)
MSDefender-IsolateMachine
Author: Keijo Korte
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://securitycenter.windows.com
Description
Isolate machine with Microsoft Defender for Endpoints
Configuration
| tenantId |
Azure tenant ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appId |
Azure app ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appSecret |
Azure app secret |
| Default value if not configured |
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890= |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| resourceAppIdUri |
Security Center URI, usually doens't need to change |
| Default value if not configured |
https://api.securitycenter.windows.com |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| oAuthUri |
Azure oAuth2 authentication endpoint |
| Default value if not configured |
https://login.windows.net/ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
MSDefender-UnisolateMachine
Author: Keijo Korte
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://securitycenter.windows.com
Description
Unisolate machine with Microsoft Defender for Endpoints
Configuration
| tenantId |
Azure tenant ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appId |
Azure app ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appSecret |
Azure app secret |
| Default value if not configured |
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890= |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| resourceAppIdUri |
Security Center URI, usually doens't need to change |
| Default value if not configured |
https://api.securitycenter.windows.com |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| oAuthUri |
Azure oAuth2 authentication endpoint |
| Default value if not configured |
https://login.windows.net/ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
MSDefender-PushIOC-Alert
Author: Keijo Korte
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://securitycenter.windows.com
Description
Push IOC to Defender client. Alert mode
Configuration
| tenantId |
Azure tenant ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appId |
Azure app ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appSecret |
Azure app secret |
| Default value if not configured |
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890= |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| resourceAppIdUri |
Security Center URI, usually doens't need to change |
| Default value if not configured |
https://api.securitycenter.windows.com |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| oAuthUri |
Azure oAuth2 authentication endpoint |
| Default value if not configured |
https://login.windows.net/ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
MSDefender-PushIOC-Block
Author: Keijo Korte
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://securitycenter.windows.com
Description
Push IOC to Defender client. Blocking mode
Configuration
| tenantId |
Azure tenant ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appId |
Azure app ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appSecret |
Azure app secret |
| Default value if not configured |
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890= |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| resourceAppIdUri |
Security Center URI, usually doens't need to change |
| Default value if not configured |
https://api.securitycenter.windows.com |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| oAuthUri |
Azure oAuth2 authentication endpoint |
| Default value if not configured |
https://login.windows.net/ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
MSDefender-FullVirusscan
Author: Keijo Korte
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://securitycenter.windows.com
Description
Run full virus scan to machine with Microsoft Defender for Endpoints
Configuration
| tenantId |
Azure tenant ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appId |
Azure app ID |
| Default value if not configured |
abcdef12-ab12-abc12-ab12-abcdef123456 |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| appSecret |
Azure app secret |
| Default value if not configured |
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890= |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| resourceAppIdUri |
Security Center URI, usually doens't need to change |
| Default value if not configured |
https://api.securitycenter.windows.com |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |
| oAuthUri |
Azure oAuth2 authentication endpoint |
| Default value if not configured |
https://login.windows.net/ |
| Type of the configuration item |
string |
| The configuration item can contain multiple values |
False |
| Is required |
True |