From 9fbddc6ab1a92a5d81c883ba16240c87bcd6bcf6 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Tue, 3 Oct 2023 15:17:04 +0200 Subject: [PATCH 1/9] Update Dockerfile --- responders/MSDefenderEndpoints/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/responders/MSDefenderEndpoints/Dockerfile b/responders/MSDefenderEndpoints/Dockerfile index 6f153365f..6d3fed6a2 100644 --- a/responders/MSDefenderEndpoints/Dockerfile +++ b/responders/MSDefenderEndpoints/Dockerfile @@ -17,5 +17,5 @@ FROM python:3 WORKDIR /worker COPY . MSDefenderEndpoints -RUN test ! -e MSDefenderEndpoints/requirements.txt || pip install --no-cache-dir -rMSDefenderEndpoints/requirements.txt -ENTRYPOINT MSDefenderEndpoints/MSDefenderEndpoints.py \ No newline at end of file +RUN test ! -e MSDefenderEndpoints/requirements.txt || pip install --no-cache-dir -r MSDefenderEndpoints/requirements.txt +ENTRYPOINT MSDefenderEndpoints/MSDefenderEndpoints.py From b4a07402ee11fd3c17bdb524d91fc9898c0fc4dd Mon Sep 17 00:00:00 2001 From: louismaxx Date: Tue, 3 Oct 2023 16:34:14 +0200 Subject: [PATCH 2/9] Fix url & and getmachineid function The url is missing a / between the oauth URI and the tenant. Certain org do not integrate computers in Azure AD, therefore the aaDDeviceId field returns null. MDE as a backup id field that can be used for this case. --- responders/MSDefenderEndpoints/MSDefenderEndpoints.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py index 8775fd5f9..919f3cc32 100755 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py @@ -31,7 +31,7 @@ def __init__(self): def run(self): Responder.run(self) - url = "{}{}/oauth2/token".format( + url = "{}/{}/oauth2/token".format( self.msdefenderOAuthUri,self.msdefenderTenantId ) @@ -77,6 +77,8 @@ def getMachineId(id): if response.status_code == 200: jsonResponse = response.json() if len(response.content) > 100: + if jsonResponse["value"][0]["aadDeviceId"] is None: + return jsonResponse["value"][0]["id"] return jsonResponse["value"][0]["aadDeviceId"] else: self.error({'message': "Can't get hostname from Microsoft API"}) From 234839d1e0c2dac0a9f5f01f5fc36f902ebb7444 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 4 Oct 2023 12:28:56 +0200 Subject: [PATCH 3/9] Added new response features --- .../MSDefenderEndpoints.py | 76 ++++++++++++++++++- ...MSDefenderEndpoints_AutoInvestigation.json | 61 +++++++++++++++ ...efenderEndpoints_RestrictAppExecution.json | 61 +++++++++++++++ ...enderEndpoints_UnRestrictAppExecution.json | 60 +++++++++++++++ 4 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 responders/MSDefenderEndpoints/MSDefenderEndpoints_AutoInvestigation.json create mode 100644 responders/MSDefenderEndpoints/MSDefenderEndpoints_RestrictAppExecution.json create mode 100644 responders/MSDefenderEndpoints/MSDefenderEndpoints_UnRestrictAppExecution.json diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py index 919f3cc32..6d7e41c1f 100755 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py @@ -155,6 +155,74 @@ def unisolateMachine(machineId): except requests.exceptions.RequestException as e: self.error({'message': e}) + + def restrictAppExecution(machineId): + ''' + example + POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution + ''' + url = 'https://api.securitycenter.windows.com/api/machines/{}/restrictCodeExecution'.format(machineId) + body = { + 'Comment': 'Restrict code execution due to TheHive case {}'.format(self.caseId) + } + + try: + response = self.msdefenderSession.post(url=url, json=body) + if response.status_code == 201: + self.report({'message': "Restricted app execution on machine: " + self.observable }) + elif response.status_code == 400 and "ActiveRequestAlreadyExists" in response.content.decode("utf-8"): + self.report({'message': "Error restricting app execution on machine: ActiveRequestAlreadyExists"}) + else: + self.error({'message': "Can't restrict app execution"}) + except requests.exceptions.RequestException as e: + self.error({'message': e}) + + + def unrestrictAppExecution(machineId): + ''' + example + POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution + ''' + url = 'https://api.securitycenter.windows.com/api/machines/{}/unrestrictCodeExecution'.format(machineId) + body = { + 'Comment': '"Remove code execution restriction since machine was cleaned and validated due to TheHive case {}'.format(self.caseId) + } + + try: + response = self.msdefenderSession.post(url=url, json=body) + if response.status_code == 201: + self.report({'message': "Removed app execution restriction on machine: " + self.observable }) + elif response.status_code == 400 and "ActiveRequestAlreadyExists" in response.content.decode("utf-8"): + self.report({'message': "Error removing app execution restriction on machine: ActiveRequestAlreadyExists"}) + else: + self.error({'message': "Can't unrestrict app execution"}) + except requests.exceptions.RequestException as e: + self.error({'message': e}) + + + def startAutoInvestigation(machineId): + ''' + example + POST https://api.securitycenter.windows.com/api/machines/{id}/startInvestigation + ''' + url = 'https://api.securitycenter.windows.com/api/machines/{}/startInvestigation'.format(machineId) + + body = { + 'Comment': 'Start investigation due to TheHive case {}'.format(self.caseId) + } + + try: + response = self.msdefenderSession.post(url=url, json=body) + if response.status_code == 201: + self.report({'message': "Started Auto Investigation on : " + self.observable }) + elif response.status_code == 400 and "ActiveRequestAlreadyExists" in response.content.decode("utf-8"): + self.report({'message': "Error lauching auto investigation on machine: ActiveRequestAlreadyExists"}) + else: + self.error({'message': "Error auto investigation on machine"}) + except requests.exceptions.RequestException as e: + self.error({'message': e}) + + def pushCustomIocAlert(ipAddress): action="Alert" url = 'https://api.securitycenter.windows.com/api/indicators' @@ -195,13 +263,19 @@ def pushCustomIocBlock(ipAddress): except requests.exceptions.RequestException as e: self.error({'message': e}) - # print("blop") + if self.service == "isolateMachine": isolateMachine(getMachineId(self.observable)) elif self.service == "unisolateMachine": unisolateMachine(getMachineId(self.observable)) elif self.service == "runFullVirusScan": runFullVirusScan(getMachineId(self.observable)) + elif self.service == "restrictAppExecution": + restrictAppExecution(getMachineId(self.observable)) + elif self.service == "unrestrictAppExecution": + unrestrictAppExecution(getMachineId(self.observable)) + elif self.service == "startAutoInvestigation": + startAutoInvestigation(getMachineId(self.observable)) elif self.service == "pushIOCBlock": pushCustomIocBlock(self.observable) elif self.service == "pushIOCAlert": diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_AutoInvestigation.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_AutoInvestigation.json new file mode 100644 index 000000000..ac4ece72c --- /dev/null +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_AutoInvestigation.json @@ -0,0 +1,61 @@ +{ + "name": "MSDefender-AutoInvestigation", + "version": "1.0", + "author": "Keijo Korte, Louis-Maximilien Dupouy", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Start an automated investigation on a device", + "dataTypeList": ["thehive:case_artifact"], + "command": "MSDefenderEndpoints/MSDefenderEndpoints.py", + "baseConfig": "MSDefenderforEndpoints", + "config": { + "service": "startAutoInvestigation" + }, + "configurationItems": [ + { + "name": "tenantId", + "description": "Azure tenant ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appId", + "description": "Azure app ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appSecret", + "description": "Azure app secret", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" + }, + { + "name": "resourceAppIdUri", + "description": "Security Center URI, usually doens't need to change", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.securitycenter.windows.com" + }, + { + "name": "oAuthUri", + "description": "Azure oAuth2 authentication endpoint", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://login.microsoftonline.com" + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://securitycenter.windows.com" + } + \ No newline at end of file diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_RestrictAppExecution.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_RestrictAppExecution.json new file mode 100644 index 000000000..525a80990 --- /dev/null +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_RestrictAppExecution.json @@ -0,0 +1,61 @@ +{ + "name": "MSDefender-RestrictAppExecution", + "version": "1.0", + "author": "Keijo Korte, Louis-Maximilien Dupouy", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Restrict execution of all applications on the device except a predefined set", + "dataTypeList": ["thehive:case_artifact"], + "command": "MSDefenderEndpoints/MSDefenderEndpoints.py", + "baseConfig": "MSDefenderforEndpoints", + "config": { + "service": "restrictAppExecution" + }, + "configurationItems": [ + { + "name": "tenantId", + "description": "Azure tenant ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appId", + "description": "Azure app ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appSecret", + "description": "Azure app secret", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" + }, + { + "name": "resourceAppIdUri", + "description": "Security Center URI, usually doens't need to change", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.securitycenter.windows.com" + }, + { + "name": "oAuthUri", + "description": "Azure oAuth2 authentication endpoint", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://login.microsoftonline.com" + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://securitycenter.windows.com" + } + \ No newline at end of file diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_UnRestrictAppExecution.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_UnRestrictAppExecution.json new file mode 100644 index 000000000..7b0c20d6a --- /dev/null +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_UnRestrictAppExecution.json @@ -0,0 +1,60 @@ +{ + "name": "MSDefender-UnRestrictAppExecution", + "version": "1.0", + "author": "Keijo Korte, Louis-Maximilien Dupouy", + "url": "https://github.com/TheHive-Project/Cortex-Analyzers", + "license": "AGPL-V3", + "description": "Enable execution of any application on the device", + "dataTypeList": ["thehive:case_artifact"], + "command": "MSDefenderEndpoints/MSDefenderEndpoints.py", + "baseConfig": "MSDefenderforEndpoints", + "config": { + "service": "unrestrictAppExecution" + }, + "configurationItems": [ + { + "name": "tenantId", + "description": "Azure tenant ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appId", + "description": "Azure app ID", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "abcdef12-ab12-abc12-ab12-abcdef123456" + }, + { + "name": "appSecret", + "description": "Azure app secret", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890=" + }, + { + "name": "resourceAppIdUri", + "description": "Security Center URI, usually doens't need to change", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://api.securitycenter.windows.com" + }, + { + "name": "oAuthUri", + "description": "Azure oAuth2 authentication endpoint", + "type": "string", + "multi": false, + "required": true, + "defaultValue": "https://login.microsoftonline.com" + } + ], + "registration_required": true, + "subscription_required": true, + "free_subscription": false, + "service_homepage": "https://securitycenter.windows.com" +} From 15d16952680a50e23d847f842661cb2362bb459f Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 4 Oct 2023 13:19:15 +0200 Subject: [PATCH 4/9] Update readme to add a required permission --- responders/MSDefenderEndpoints/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/responders/MSDefenderEndpoints/README.md b/responders/MSDefenderEndpoints/README.md index cb338f07a..d89134435 100644 --- a/responders/MSDefenderEndpoints/README.md +++ b/responders/MSDefenderEndpoints/README.md @@ -37,7 +37,7 @@ In the registration form: ##### API permission On your new application page, click API Permissions > Add permission > APIs my organization uses > type **WindowsDefenderATP** and click on WindowsDefenderATP -Choose Application permissions, select **Alert.Read.All** AND **TI.ReadWrite.All** AND **Machine.ReadAll** AND **Machine.Isolate** AND **Machine.Scan** > Click on Add permissions. +Choose Application permissions, select **Alert.Read.All** AND **TI.ReadWrite.All** AND **Machine.ReadAll** AND **Machine.Isolate** AND **Machine.Scan** AND **Machine.RestrictExecution** > Click on Add permissions. After clicking the Add Permissions button, on the next screen we need to grant consent for the permission to take effect. Press the "Grant admin consent for {your tenant name}" button. From 117c7ee30a5f8668b501c8c9fffb274efe7c128d Mon Sep 17 00:00:00 2001 From: louismaxx Date: Mon, 9 Oct 2023 16:25:45 +0200 Subject: [PATCH 5/9] added IOC options & patched alert mode json --- .../MSDefenderEndpoints.py | 66 ++++++++++++++----- 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py index 6d7e41c1f..950e46975 100755 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py @@ -7,7 +7,7 @@ import datetime class MSDefenderEndpoints(Responder): - def __init__(self): + def __init__(self): Responder.__init__(self) self.msdefenderTenantId = self.get_param('config.tenantId', None, 'TenantId missing!') self.msdefenderAppId = self.get_param('config.appId', None, 'AppId missing!') @@ -29,7 +29,7 @@ def __init__(self): } ) - def run(self): + def run(self): Responder.run(self) url = "{}/{}/oauth2/token".format( self.msdefenderOAuthUri,self.msdefenderTenantId @@ -223,16 +223,34 @@ def startAutoInvestigation(machineId): self.error({'message': e}) - def pushCustomIocAlert(ipAddress): - action="Alert" + def pushCustomIocAlert(observable): + + if self.observableType == 'ip': + indicatorType = 'IpAddress' + elif self.observableType == 'url': + indicatorType = 'Url' + elif self.observableType == 'domain': + indicatorType = 'DomainName' + elif self.observableType == 'hash': + if len(observable) == 32: + indicatorType = 'FileMd5' + elif len(observable) == 40: + indicatorType = 'FileSha1' + elif len(observable) == 64: + indicatorType = 'FileSha256' + else: + self.report({'message':"Observable is not a valid hash"}) + else: + self.error({'message':"Observable type must be ip, url, domain or hash"}) + url = 'https://api.securitycenter.windows.com/api/indicators' body = { - 'indicatorValue': ipAddress, - 'indicatorType': 'IpAddress', - 'action': action, - 'title': self.caseTitle, + 'indicatorValue': observable, + 'indicatorType': indicatorType, + 'action': 'Alert', + 'title': "TheHive IOC: {}".format(self.caseTitle), 'severity': 'High', - 'description': self.caseTitle, + 'description': "TheHive case: {} - caseId {}".format(self.caseTitle,self.caseId), 'recommendedActions': 'N/A' } @@ -243,13 +261,31 @@ def pushCustomIocAlert(ipAddress): except requests.exceptions.RequestException as e: self.error({'message': e}) - def pushCustomIocBlock(ipAddress): - action="AlertAndBlock" + def pushCustomIocBlock(observable): + + if self.observableType == 'ip': + indicatorType = 'IpAddress' + elif self.observableType == 'url': + indicatorType = 'Url' + elif self.observableType == 'domain': + indicatorType = 'DomainName' + elif self.observableType == 'hash': + if len(observable) == 32: + indicatorType = 'FileMd5' + elif len(observable) == 40: + indicatorType = 'FileSha1' + elif len(observable) == 64: + indicatorType = 'FileSha256' + else: + self.report({'message':"Observable is not a valid hash"}) + else: + self.error({'message':"Observable type must be ip, url, domain or hash"}) + url = 'https://api.securitycenter.windows.com/api/indicators' body = { - 'indicatorValue' : ipAddress, - 'indicatorType' : 'IpAddress', - 'action' : action, + 'indicatorValue' : observable, + 'indicatorType' : indicatorType, + 'action' : 'AlertAndBlock', 'title' : "TheHive IOC: {}".format(self.caseTitle), 'severity' : 'High', 'description' : "TheHive case: {} - caseId {}".format(self.caseTitle,self.caseId), @@ -283,7 +319,7 @@ def pushCustomIocBlock(ipAddress): else: self.error({'message': "Unidentified service"}) - def operations(self, raw): + def operations(self, raw): self.build_operation('AddTagToCase', tag='MSDefenderResponder:run') if self.service == "isolateMachine": return [self.build_operation("AddTagToArtifact", tag="MsDefender:isolated")] From 6c7b4a9bcea5b433c8f00b45eba43e3160b37498 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 11 Oct 2023 11:25:47 +0200 Subject: [PATCH 6/9] Add tag after restriction and modified oauth uri --- responders/MSDefenderEndpoints/MSDefenderEndpoints.py | 4 ++++ .../MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json | 2 +- .../MSDefenderEndpoints_PushIOCAlert.json | 6 +++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py index 950e46975..c7baaff02 100755 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints.py +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints.py @@ -327,6 +327,10 @@ def operations(self, raw): return [self.build_operation("AddTagToArtifact", tag="MsDefender:fullVirusScan")] elif self.service == "unisolateMachine": return [self.build_operation("AddTagToArtifact", tag="MsDefender:unIsolated")] + elif self.service == "restrictAppExecution": + return [self.build_operation("AddTagToArtifact", tag="MsDefender:restrictedAppExec")] + elif self.service == "unrestrictAppExecution": + return [self.build_operation("AddTagToArtifact", tag="MsDefender:unrestrictedAppExec")] if __name__ == '__main__': diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json index 9dcc99547..e78dac91e 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json @@ -50,7 +50,7 @@ "type": "string", "multi": false, "required": true, - "defaultValue": "https://login.windows.net/" + "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json index fe9c10a2f..255fa328c 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json @@ -1,7 +1,7 @@ { "name": "MSDefender-PushIOC-Alert", - "version": "1.0", - "author": "Keijo Korte", + "version": "2.0", + "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Push IOC to Defender client. Alert mode", @@ -50,7 +50,7 @@ "type": "string", "multi": false, "required": true, - "defaultValue": "https://login.windows.net/" + "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, From 92d22ee6073348d8f276f5ff1b21e2351b4066c0 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 11 Oct 2023 16:18:28 +0200 Subject: [PATCH 7/9] Update README.md --- responders/MSDefenderEndpoints/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/responders/MSDefenderEndpoints/README.md b/responders/MSDefenderEndpoints/README.md index d89134435..66394dba9 100644 --- a/responders/MSDefenderEndpoints/README.md +++ b/responders/MSDefenderEndpoints/README.md @@ -4,7 +4,10 @@ * Isolate machine * Unisolate machine +* Restrict App Execution on a machine +* Remove app restriction on a machine * Run full antivirus scan +* Run an automated scan * Push IoC to Microsoft defender * Alert * BlockAndAlert From 2dfb571c6791297ef5f787a9ec784fcb04a188ef Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 11 Oct 2023 16:20:14 +0200 Subject: [PATCH 8/9] Update MSDefenderEndpoints_PushIOCBlock.json version --- .../MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json index d87914e25..cc863ac6d 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json @@ -1,7 +1,7 @@ { "name": "MSDefender-PushIOC-Block", - "version": "1.0", - "author": "Keijo Korte", + "version": "2.0", + "author": "Keijo Korte, Louis-Maximilien Dupouy", "url": "https://github.com/TheHive-Project/Cortex-Analyzers", "license": "AGPL-V3", "description": "Push IOC to Defender client. Blocking mode", From 29b6f9f1475258da4859dc2b0f57abe1ac589d60 Mon Sep 17 00:00:00 2001 From: louismaxx Date: Wed, 11 Oct 2023 16:27:41 +0200 Subject: [PATCH 9/9] changed the oauth uri --- .../MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json | 2 +- .../MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json | 2 +- .../MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json index cc863ac6d..eb211d7cd 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json @@ -50,7 +50,7 @@ "type": "string", "multi": false, "required": true, - "defaultValue": "https://login.windows.net/" + "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json index 32ee5b4cd..eda10343b 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json @@ -50,7 +50,7 @@ "type": "string", "multi": false, "required": true, - "defaultValue": "https://login.windows.net/" + "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true, diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json index cccbaf2f5..69a9f9645 100644 --- a/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json +++ b/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json @@ -50,7 +50,7 @@ "type": "string", "multi": false, "required": true, - "defaultValue": "https://login.windows.net/" + "defaultValue": "https://login.microsoftonline.com" } ], "registration_required": true,