Skip to content

MSDefenderOffice365#

README

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

  • Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
  • Reports: View real-time reports to monitor Defender for Office 365 performance in your organization.
  • Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
  • Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.

This responder implements support for the Tenant Allow/Block List which is used during mail flow for incoming messages to manually override the Microsoft 365 filtering verdicts. An observable with dataType 'mail' is used to block/unblock a sender, while dataType 'domain' is used to block/unblock a domain.

You can also block or unblock multiple entries at once by using a multi-line observable with one entry per line.

The configuration allows you to specify the number of days for a block entry to live before expiration with a value of 0 meaning no expiration.

For further reference on this capability, see the Microsoft documentation Allow or block emails using the Tenant Allow/Block List.

MSDefenderOffice365_unblock#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide

Description#

Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender

Configuration#

certificate_base64 Base64-encoded PFX certificate to be used for certificate-based authentication.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
certificate_password Password for the certificate used to authenticate
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
app_id The application ID of the service principal that's used in certificate based authentication
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
organization Tenant ID. Example: something.onmicrosoft.com
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

MSDefenderOffice365_block#

Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide

Description#

Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender

Configuration#

certificate_base64 Base64-encoded PFX certificate to be used for certificate-based authentication.
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
certificate_password Password for the certificate used to authenticate
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
app_id The application ID of the service principal that's used in certificate based authentication
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
organization Tenant ID. Example: something.onmicrosoft.com
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
block_expiration_days How many days out should we set the expiration? A value <= 0 means to set no expiration.
Default value if not configured 0
Type of the configuration item number
The configuration item can contain multiple values False
Is required True