Integration of Microsoft XDR

[WildDogOne]

I am building a basic integration for Microsoft XDR Detection Rules using the MS Security Graph API.
Only the Beta API actually supports Detection Rules https://learn.microsoft.com/en-us/graph/api/security-detectionrule-post-detectionrules?view=graph-rest-beta
The msgraph sdk does not as of yet support Detection Rules, not in Beta or Stable. (At least not for creation I think)
Because of that I will be using native rest requests with msal for authentication

Todos:

• Add Documentation of new Variables
• Add Search Export
• Add Actions to rule Export
• Add Mitre Attack Values to Export
• Add Run Search
• Add Raw Rules
• Add disabling of rules
• Add deleting rules -> Investigate why delete runs into error: Forbiden by the API
• Add Integrity check
• Implement push only on rule change
• Find a somewhat smart way to find already installed rules -> Added the UUID of the Sigma rule to DisplayName, sadly cannot use description because of odata limits
• MSSP Mode is likely of interest, have an intelligent discussion about how to do it
• check for ratelimiting

[WildDogOne]

For MSSP mode some ideas.
I am not 100% certain if it's possible to push a dict into env, but if that would be possible, I think it makes sense to use a dictionary instead of a single credential.
Like that it would be possible to just iterate over all the credentials available and if there are multiple it will export to multiple, and if not, it will just export to one.
No need for MSSP flags or anything like that

[WildDogOne]

OK I just stumbled uppon a very strange issue.
When installing the M365 Backend from pySigma-backend-microsoft365defender it is called "microsoft_defender"
When installing from repository (https://github.com/AttackIQ/pySigma-backend-microsoft365defender) it is called "microsoft365defender"

I think it's necessary to get in touch with the maintainer of that project, because I have no clue what is going on

edit: It looks like they are restructuring to have multiple backends, and part of that is the namechange. I am guessing it will be in the next release

[WildDogOne]

I have added simple rate limit checking and retry on limit for every MS XDR function.
However there is one imo big problem.
Even getting of custom rules counts towards the limit of 10 requests per minute.
Hence if we want to check if policies have changed before pushing, it means an extra request.

There are two ways I can think of to get around this problem.
In one go get as many custom detection rules as possible and make a local temporary store which then can be used for integrity checking.
Or live with the issue eg. have it as a known problem and shift left

[0xFustang]

The integration works great so far, I will have a final review on the documentation and merge this. Thanks a lot for your contribution @WildDogOne