Azure · v-atulyadav · Dec 4, 2023 · Nov 1, 2023 · Nov 1, 2023 · Nov 1, 2023
@@ -10,8 +10,8 @@
     "Analytic Rules/AquaBlizzardAVHits.yaml"
   ],
   "Parsers": [
-    "Parsers/AssignedIPAddress.txt",
-    "Parsers/Devicefromip.txt"
+    "Parsers/AssignedIPAddress.yaml",
+    "Parsers/Devicefromip.yaml"
   ],
   "Hunting Queries": [
     "Hunting Queries/MDE_Usage.yaml",
@@ -42,7 +42,7 @@
     "Playbooks/Unisolate-MDEMachine/Unisolate-MDE-Machine-entity-trigger/azuredeploy.json"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MicrosoftDefenderForEndpoint",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true

@@ -0,0 +1,57 @@
+{
+  "Name": "MicrosoftDefenderForEndpoint",
+  "Author": "Microsoft - [email protected]",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Sentinel Incidents queue. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Codeless Connector Platform/Native Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MicrosoftDefenderForEndpoint",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": true,
+  "Version": "3.0.1",
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-microsoftdefenderendpoint",
+  "providers": [
+    "Microsoft"
+  ],
+  "categories": {
+    "domains": [
+      "Security - Threat Protection"
+    ],
+    "verticals": []
+  },
+  "firstPublishDate": "2022-01-31",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "[email protected]",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/template_MicrosoftDefenderAdvancedThreatProtection.JSON\"\n]",
+  "Parsers": "[\n  \"AssignedIPAddress.yaml\",\n  \"Devicefromip.yaml\"\n]",
+  "Playbooks": [
+    "Playbooks/Isolate-MDEMachine/Isolate-MDE-Machine-entity-trigger/azuredeploy.json",
+    "Playbooks/Isolate-MDEMachine/Isolate-MDEMachine-alert-trigger/azuredeploy.json",
+    "Playbooks/Isolate-MDEMachine/Isolate-MDEMachine-incident-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEAppExecution/Restrict-MDEAppExecution-alert-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEAppExecution/Restrict-MDEAppExecution-incident-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEDomain/Restrict-MDEDomain-alert-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEDomain/Restrict-MDEDomain-entity-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEDomain/Restrict-MDEDomain-incident-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-alert-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-entity-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEFileHash/Restrict-MDEFileHash-incident-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEIPAddress/Restrict-MDEIPAddress-alert-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEIPAddress/Restrict-MDEIPAddress-entity-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEIPAddress/Restrict-MDEIPAddress-incident-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEUrl/Restrict-MDEUrl-alert-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEUrl/Restrict-MDEUrl-entity-trigger/azuredeploy.json",
+    "Playbooks/Restrict-MDEUrl/Restrict-MDEUrl-incident-trigger/azuredeploy.json",
+    "Playbooks/Run-MDEAntivirus/Run-MDEAntivirus-alert-trigger/azuredeploy.json",
+    "Playbooks/Run-MDEAntivirus/Run-MDEAntivirus-incident-trigger/azuredeploy.json",
+    "Playbooks/Unisolate-MDEMachine/Unisolate-MDE-Machine-entity-trigger/azuredeploy.json",
+    "Playbooks/Unisolate-MDEMachine/Unisolate-MDEMachine-alert-trigger/azuredeploy.json",
+    "Playbooks/Unisolate-MDEMachine/Unisolate-MDEMachine-incident-trigger/azuredeploy.json"
+  ],
+  "Analytic Rules": "[\n  \"AquaBlizzardAVHits.yaml\"\n]",
+  "Hunting Queries": "[\n  \"MDE_Usage.yaml\",\n  \"MDE_Process-IOCs.yaml\"\n]"
+}
@@ -7,41 +7,46 @@ requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - DeviceProcessEvents
-queryFrequency: 1d
-queryPeriod: 1d
-triggerOperator: gt
-triggerThreshold: 0
 tactics:
   - Execution
   - Persistence
 tags:
   - Solorigate
   - NOBELIUM
 query:  |
-
   let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
   DeviceProcessEvents
   | where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
   | where not(FolderPath has_any (excludeProcs))
   | extend
       timestamp = TimeGenerated,
       AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),
-      HostCustomEntity = DeviceName,
-      FileHashCustomEntity = MD5
+      HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.')),
+      AlgorithmCustomEntity = "MD5",FileHashCustomEntity = MD5
+  |extend Name = tostring(split(AccountCustomEntity, '@', 0)[0]), UPNSuffix = tostring(split(AccountCustomEntity, '@', 1)[0])    
+  | extend Account_0_Name = Name
+  | extend Account_0_UPNSuffix = UPNSuffix
+  | extend Host_0_HostName = HostName
+  | extend Host_0_DnsDomain = DnsDomain 
+  | extend FileHash_0_Algorithm = AlgorithmCustomEntity
+  | extend FileHash_0_Value = FileHashCustomEntity 
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
   - entityType: Host
     fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
+      - identifier: HostName
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
   - entityType: FileHash
     fieldMappings:
       - identifier: Algorithm
-        columnName: MD5
+        columnName: AlgorithmCustomEntity
       - identifier: Value
         columnName: FileHashCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.0.1
@@ -7,16 +7,11 @@ requiredDataConnectors:
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - DeviceProcessEvents
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
 tactics:
   - Discovery
 relevantTechniques:
   - T1018
 query: |
-
  let args = dynamic(["objectcategory","domainlist","dcmodes","adinfo","trustdmp","computers_pwdnotreqd","Domain Admins", "objectcategory=person", "objectcategory=computer", "objectcategory=*","dclist"]);
  let parentProcesses = dynamic(["pwsh.exe","powershell.exe","cmd.exe"]);
  DeviceProcessEvents
@@ -26,17 +21,28 @@ query: |
  | where FileName =~ "AdFind.exe" or SHA256 == "c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3"
     // AdFind common Flags to check for from various threat actor TTPs
      or ProcessCommandLine has_any (args)
- | extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = SHA256
-
+ | extend ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = "SHA256", FileHashCustomEntity = SHA256,Name = tostring(split(AccountName, '@', 0)[0]), UPNSuffix = tostring(split(AccountName, '@', 1)[0]),HostName = tostring(split(DeviceName, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
+  | extend Account_0_Name = Name
+  | extend Account_0_UPNSuffix = UPNSuffix
+  | extend Host_0_HostName = HostName
+  | extend Host_0_DnsDomain = DnsDomain
+  | extend Process_0_ProcessId = ProcessCustomEntity
+  | extend Process_0_CommandLine = CommandLineCustomEntity
+  | extend FileHash_0_Algorithm = AlgorithmCustomEntity
+  | extend FileHash_0_Value = FileHashCustomEntity
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: HostCustomEntity
+        columnName: HostName
+      - identifier: DnsDomain
+        columnName: DnsDomain
   - entityType: Process
     fieldMappings:
       - identifier: ProcessId
@@ -49,5 +55,4 @@ entityMappings:
         columnName: AlgorithmCustomEntity
       - identifier: Value
         columnName: FileHashCustomEntity
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Parsers:** 2, **Analytic Rules:** 1, **Hunting Queries:** 2, **Playbooks:** 22\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftDefenderForEndpoint/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) solution for Microsoft Sentinel enables you to ingest security alerts from the Defender for Endpoint platform, integrating them into your Microsoft Sentinel Incidents queue. \r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Codeless Connector Platform/Native Microsoft Sentinel Polling](https://docs.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)\n\n**Data Connectors:** 1, **Parsers:** 2, **Analytic Rules:** 1, **Hunting Queries:** 2, **Playbooks:** 22\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs the data connector for ingesting Microsoft Defender for Endpoint logs into Microsoft Sentinel, using Codeless Connector Platform and Native Microsoft Sentinel Polling. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for MicrosoftDefenderForEndpoint. You can get MicrosoftDefenderForEndpoint custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -211,4 +211,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}