MSDefenderOffice365#
README
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
- Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
- Reports: View real-time reports to monitor Defender for Office 365 performance in your organization.
- Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
- Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
This responder implements support for the Tenant Allow/Block List which is used during mail flow for incoming messages to manually override the Microsoft 365 filtering verdicts. An observable with dataType 'mail' is used to block/unblock a sender, while dataType 'domain' is used to block/unblock a domain.
You can also block or unblock multiple entries at once by using a multi-line observable with one entry per line.
The configuration allows you to specify the number of days for a block entry to live before expiration with a value of 0 meaning no expiration.
For further reference on this capability, see the Microsoft documentation Allow or block emails using the Tenant Allow/Block List.
MSDefenderOffice365_unblock#
Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide
Description#
Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender
Configuration#
| certificate_base64 | Base64-encoded PFX certificate to be used for certificate-based authentication. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| certificate_password | Password for the certificate used to authenticate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| app_id | The application ID of the service principal that's used in certificate based authentication |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| organization | Tenant ID. Example: something.onmicrosoft.com |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
MSDefenderOffice365_block#
Author: Joe Lazaro
License: AGPL-V3
Version: 1.0
Supported data types:
- thehive:case_artifact
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide
Description#
Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender
Configuration#
| certificate_base64 | Base64-encoded PFX certificate to be used for certificate-based authentication. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| certificate_password | Password for the certificate used to authenticate |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| app_id | The application ID of the service principal that's used in certificate based authentication |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| organization | Tenant ID. Example: something.onmicrosoft.com |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| block_expiration_days | How many days out should we set the expiration? A value <= 0 means to set no expiration. |
|---|---|
| Default value if not configured | 0 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | True |