Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRTX-146131-Microsoft-Defender-for-Cloud #38537

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

CRTX-146131-Microsoft-Defender-for-Cloud #38537

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
2b7ee59
defender for iot
sdaniel6 Feb 9, 2025
e002f81
updated schema
sdaniel6 Feb 9, 2025
a413874
added release notes
sdaniel6 Feb 9, 2025
f3078eb
fix
sdaniel6 Feb 11, 2025
846a222
test
sdaniel6 Feb 12, 2025
134bc73
mapping backup
sdaniel6 Feb 13, 2025
b9de039
new modeling rule
sdaniel6 Feb 13, 2025
2ef9482
fix
sdaniel6 Feb 13, 2025
bc070ee
schema changes
sdaniel6 Feb 13, 2025
240a9d6
fixed modelingrule
sdaniel6 Feb 13, 2025
6eea44b
fixed modelingrule
sdaniel6 Feb 13, 2025
1ad5514
fixed modelingrule
sdaniel6 Feb 13, 2025
8af216b
changed regex values
sdaniel6 Feb 13, 2025
8ab9a34
changed regex values
sdaniel6 Feb 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 33 additions & 24 deletions ...ngRules/MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules.xif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,41 +132,53 @@ filter _collector_type = "Azure Event Hub"
ExtendedProperties_Suspicious_Process_Id = json_extract_scalar(ExtendedProperties, "$.Suspicious Process Id"),
ExtendedProperties_Top_anomalous_queries = json_extract_scalar(ExtendedProperties, "$.Top anomalous queries"),
ExtendedProperties_Top_suspicious_queries = json_extract_scalar(ExtendedProperties, "$.Top suspicious queries"),
ExtendedProperties_Known_Port = json_extract_scalar(ExtendedProperties, "$.Known Port"),
ExtendedProperties_URL = json_extract_scalar(ExtendedProperties, "$.URL"),
ExtendedProperties_Sensor_Id = json_extract_scalar(ExtendedProperties, "$.SensorId"),
ExtendedProperties_Device_Id = json_extract_scalar(ExtendedProperties, "$.DeviceId"),
ExtendedProperties_Source_Device = json_extract_scalar(extendedproperties, "$.SourceDevice"),
ExtendedProperties_Category = json_extract_scalar(ExtendedProperties, "$.Category"),
ExtendedProperties_Destination_Device = json_extract_scalar(extendedproperties, "$.DestinationDevice"),
ExtendedProperties_User_Principal_Name = json_extract_scalar(ExtendedProperties, "$.userprincipalname"),
ExtendedProperties_User_Name = if(json_extract_scalar(ExtendedProperties, "$.User Name") != null, json_extract_scalar(ExtendedProperties, "$.User Name"), json_extract_scalar(ExtendedProperties, "$.Username") != null, json_extract_scalar(ExtendedProperties, "$.Username"), null),
ExtendedProperties_User_Agent = json_extract_scalar(ExtendedProperties, "$.User agent")
ExtendedProperties_User_Agent = json_extract_scalar(ExtendedProperties, "$.User agent"),
ExtendedProperties_Protocol = json_extract_scalar(ExtendedProperties, "$.Protocol"),
ExtendedProperties_Http_Method = json_extract_scalar(ExtendedProperties, "$['HTTP Request Method']")
// XDM fields
| alter
// Common fields
xdm.source.agent.identifier = if(AgentId != "", AgentId, null),
xdm.alert.name = AlertDisplayName,
xdm.alert.name = coalesce(AlertDisplayName,AlertName),
xdm.alert.subcategory = AlertType,
xdm.session_context_id = if(CorrelationKey != "", CorrelationKey, null),
xdm.alert.description = Description,
xdm.alert.severity = Severity,
xdm.alert.severity = coalesce(Severity,AlertSeverity),
xdm.alert.original_alert_id = SystemAlertId,
xdm.source.cloud.project_id = arraystring(arraymap(ResourceIdentifiers, if(json_extract_scalar("@element", "$.AzureResourceTenantId") != null, json_extract_scalar("@element", "$.AzureResourceTenantId"), json_extract_scalar("@element", "$.AadTenantId") != null, json_extract_scalar("@element", "$.AadTenantId"), json_extract_scalar("@element", "$.workspaceId") != null, json_extract_scalar("@element", "$.workspaceId"), "-")), ", "),
// Entities and Extended Properties fields
xdm.source.user.identifier = coalesce (ExtendedProperties_AAD_user_id, Entities_account_Identifier),
xdm.source.user.identifier = coalesce(ExtendedProperties_AAD_user_id, Entities_account_Identifier),
xdm.logon.logon_guid = coalesce(ExtendedProperties_Account_Session_Id, Entities_account_LogonId),
xdm.event.operation_sub_type = ExtendedProperties_Activity_type,
xdm.source.application.name = coalesce(ExtendedProperties_Application, ExtendedProperties_Application_name, ExtendedProperties_Client_Application),
xdm.source.ipv4 = coalesce(ExtendedProperties_Attacker_IP_Address_v4, ExtendedProperties_Source_IP_address_v4),
xdm.source.ipv4 = coalesce(ExtendedProperties_Attacker_IP_Address_v4, ExtendedProperties_Source_IP_address_v4, SourceDeviceAddress),
xdm.source.ipv6 = coalesce(ExtendedProperties_Attacker_IP_Address_v6, ExtendedProperties_Source_IP_address_v6),
xdm.auth.service = ExtendedProperties_Authentication_type,
xdm.target.host.hostname = coalesce(ExtendedProperties_Client_Hostname, ExtendedProperties_Compromised_Host, Entities_host_HostName),
xdm.target.ipv4 = coalesce(ExtendedProperties_Client_IP_Address_v4, ExtendedProperties_IP_address_v4),
xdm.target.host.hostname = coalesce(ExtendedProperties_Client_Hostname, ExtendedProperties_Compromised_Host, Entities_host_HostName, ExtendedProperties_Destination_Device),
xdm.target.ipv4 = coalesce(ExtendedProperties_Client_IP_Address_v4, ExtendedProperties_IP_address_v4, DestinationDeviceAddress),
xdm.target.ipv6 = coalesce(ExtendedProperties_Client_IP_Address_v6, ExtendedProperties_IP_address_v6),
xdm.source.user.username = coalesce(ExtendedProperties_Client_Principal_Name, ExtendedProperties_User_Name, Entities_account_username),
xdm.source.user.username = coalesce(ExtendedProperties_Client_Principal_Name, ExtendedProperties_User_Name, Entities_account_username, ExtendedProperties_User_Principal_Name),
xdm.source.process.command_line = coalesce(ExtendedProperties_Command, ExtendedProperties_Suspicious_Command_Line, Entities_process_commandline),
xdm.target.resource.name = coalesce(ExtendedProperties_CompromisedEntity, ExtendedProperties_Resource_name),
xdm.target.resource.type = ExtendedProperties_Resource_Type,
xdm.target.resource.id = ExtendedProperties_ResourceId,
xdm.observer.unique_identifier = ExtendedProperties_Device_Id,
xdm.database.name = coalesce(ExtendedProperties_Database, ExtendedProperties_Database_name),
xdm.target.file.filename = coalesce(ExtendedProperties_file, Entities_file_Name),
xdm.target.host.image = ExtendedProperties_Image_Name,
xdm.observer.name = ExtendedProperties_Sensor_Id,
xdm.source.host.hostname = ExtendedProperties_Source_Device,
xdm.target.sent_bytes = to_integer(ExtendedProperties_Payload_size),
xdm.target.port = ExtendedProperties_Port,
xdm.target.port = coalesce(ExtendedProperties_Port, to_integer(arrayindex(regextract(ExtendedProperties_Known_Port,"\d+"),0))),
xdm.source.process.identifier = coalesce(ExtendedProperties_Process_Id, ExtendedProperties_Suspicious_Process_Id, Entities_process_id),
xdm.source.process.name = coalesce(ExtendedProperties_Process_Name, ExtendedProperties_Suspicious_Process),
xdm.event.outcome = if(lowercase(ExtendedProperties_Request_status) contains "succ", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Request_status) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(ExtendedProperties_Result_Signature) contains "ok", XDM_CONST.OUTCOME_SUCCESS, lowercase(ExtendedProperties_Result_Signature) contains "unauth" or lowercase(ExtendedProperties_Result_Signature) contains " not ", XDM_CONST.OUTCOME_FAILED, null),
Expand All @@ -175,27 +187,24 @@ filter _collector_type = "Azure Event Hub"
xdm.database.statement = coalesce(ExtendedProperties_Top_anomalous_queries, ExtendedProperties_Top_suspicious_queries),
xdm.target.url = ExtendedProperties_URL,
xdm.source.user_agent = ExtendedProperties_User_Agent,
xdm.network.ip_protocol = arrayindex(regextract(ExtendedProperties_Known_Port,"^\S+"),0),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming this regex refers to a field that looks like: HTTP:80, based on the fact that target port searches for \d+ on the same field. In this case this regex will include the port number and not only the protocol. Am I correct?

Copy link
Contributor Author

@sdaniel6 sdaniel6 Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The values in the original "Known Port" field follow the format "protocol (port)", such as "HTTP (80)" or "HTTPS (443)". Since there is a space between the protocol and the port, using "^\S+" will only capture the protocol.

I agree that the current regex looks too simple, so I will improve it by using capture groups to correctly extract both the protocol and the port.

New regex for protocol - "^(\w+)\s*\(\d+\)$"
New regex for port - "\((\d+)\)$"

Thanks,

Saar.

xdm.target.file.directory = Entities_file_Directory,
xdm.network.application_protocol_category = ExtendedProperties_Protocol,
xdm.target.file.md5 = Entities_filehash_md5,
xdm.event.description = if(ProductName = "Azure Security Center for IoT", object_create("HasMultipleViolations",json_extract_scalar(extendedproperties, "$.HasMultipleViolations"),"isNew",json_extract_scalar(extendedproperties, "$.isNew"),"ProcessedBySentinel",json_extract_scalar(extendedproperties, "$.ProcessedBySentinel"),"isLearnable",json_extract_scalar(extendedproperties, "$.isLearnable")), null),
xdm.target.host.ipv4_addresses = Entities_ip_address_local_v4,
xdm.event.operation = ExtendedProperties_Category,
//xdm.target.host.ipv6_addresses = Entities_ip_address_local_v6,
xdm.target.host.ipv4_public_addresses = Entities_ip_address_public_v4,
//xdm.target.host.ipv6_public_addresses = Entities_ip_address_public_v6,
xdm.target.host.ipv6_addresses = Entities_ip_address_v6,
xdm.source.process.executable.directory = Entities_process_image_directory,
xdm.source.process.executable.filename = Entities_process_image_filename,
xdm.target.host.os = Entities_host_OS;














xdm.event.type = type,
xdm.source.host.device_id = VendorOriginalId,
xdm.alert.mitre_tactics = arraymap(Tactics -> [], if( "@element" ~= "Collection", XDM_CONST.MITRE_TACTIC_COLLECTION, "@element" ~= "CommandAndControl", XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, "@element" ~= "CredentialAccess", XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, "@element" ~= "DefenceEvasion", XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, "@element" ~= "Discovery", XDM_CONST.MITRE_TACTIC_DISCOVERY, "@element" ~= "Execution", XDM_CONST.MITRE_TACTIC_EXECUTION, "@element" ~= "Exfiltration", XDM_CONST.MITRE_TACTIC_EXFILTRATION, "@element" ~= "Impact", XDM_CONST.MITRE_TACTIC_IMPACT, "@element" ~= "InitialAccess", XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS, "@element" ~= "LateralMovement", XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT, "@element" ~= "Persistence", XDM_CONST.MITRE_TACTIC_PERSISTENCE, "@element" ~= "PrivilegeEscalation", XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION, "@element" ~= "Reconnaissance", XDM_CONST.MITRE_TACTIC_RECONNAISSANCE, "@element" ~= "ResourceDevelopment", XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT, "@element")),
xdm.alert.mitre_techniques = arraymap(Techniques -> [], if("@element"~="T0800","ACTIVATE_FIRMWARE_UPDATE_MODE", "@element"~="T0830","ADVERSARY_IN_THE_MIDDLE", "@element"~="T0878","ALARM_SUPPRESSION", "@element"~="T0802","AUTOMATED_COLLECTION", "@element"~="T0895","AUTORUN_IMAGE", "@element"~="T0803","BLOCK_COMMAND_MESSAGE", "@element"~="T0804","BLOCK_REPORTING_MESSAGE", "@element"~="T0805","BLOCK_SERIAL_COM", "@element"~="T0806","BRUTE_FORCE_I/O", "@element"~="T0892","CHANGE_CREDENTIAL", "@element"~="T0858","CHANGE_OPERATING_MODE", "@element"~="T0807","COMMAND_LINE_INTERFACE", "@element"~="T0885","COMMONLY_USED_PORT", "@element"~="T0884","CONNECTION_PROXY", "@element"~="T0879","DAMAGE_TO_PROPERTY", "@element"~="T0809","DATA_DESTRUCTION", "@element"~="T0811","DATA_FROM_INFORMATION_REPOSITORIES", "@element"~="T0893","DATA_FROM_LOCAL_SYSTEM", "@element"~="T0812","DEFAULT_CREDENTIALS", "@element"~="T0813","DENIAL_OF_CONTROL", "@element"~="T0814","DENIAL_OF_SERVICE", "@element"~="T0815","DENIAL_OF_VIEW", "@element"~="T0868","DETECT_OPERATING_MODE", "@element"~="T0816","DEVICE_RESTART/SHUTDOWN", "@element"~="T0817","DRIVE_BY_COMPROMISE", "@element"~="T0871","EXECUTION_THROUGH_API", "@element"~="T0819","EXPLOIT_PUBLIC_FACING_APPLICATION", "@element"~="T0860","WIRELESS_COMPROMISE", "@element"~="T0887","WIRELESS_SNIFFING", "@element"~="T0820","EXPLOITATION_FOR_EVASION", "@element"~="T0890","EXPLOITATION_FOR_PRIVILEGE_ESCALATION", "@element"~="T0866","EXPLOITATION_OF_REMOTE_SERVICES", "@element"~="T0822","EXTERNAL_REMOTE_SERVICES", "@element"~="T0823","GRAPHICAL_USER_INTERFACE", "@element"~="T0891","HARDCODED_CREDENTIALS", "@element"~="T0874","HOOKING", "@element"~="T0877","I/O_IMAGE", "@element"~="T0872","INDICATOR_REMOVAL_ON_HOST", "@element"~="T0883","INTERNET_ACCESSIBLE_DEVICE", "@element"~="T0867","LATERAL_TOOL_TRANSFER", "@element"~="T0826","LOSS_OF_AVAILABILITY", "@element"~="T0827","LOSS_OF_CONTROL", "@element"~="T0828","LOSS_OF_PRODUCTIVITY_AND_REVENUE", "@element"~="T0837","LOSS_OF_PROTECTION", "@element"~="T0880","LOSS_OF_SAFETY", "@element"~="T0829","LOSS_OF_VIEW", "@element"~="T0835","MANIPULATE_I/O_IMAGE", "@element"~="T0831","MANIPULATION_OF_CONTROL", "@element"~="T0832","MANIPULATION_OF_VIEW", "@element"~="T0849","MASQUERADING", "@element"~="T0838","MODIFY_ALARM_SETTINGS", "@element"~="T0821","MODIFY_CONTROLLER_TASKING", "@element"~="T0836","MODIFY_PARAMETER", "@element"~="T0889","MODIFY_PROGRAM", "@element"~="T0839","MODULE_FIRMWARE", "@element"~="T0801","MONITOR_PROCESS_STATE", "@element"~="T0834","NATIVE_API", "@element"~="T0840","NETWORK_CONNECTION_ENUMERATION", "@element"~="T0842","NETWORK_SNIFFING", "@element"~="T0861","POINT&TAG_IDENTIFICATION", "@element"~="T0843","PROGRAM_DOWNLOAD", "@element"~="T0845","PROGRAM_UPLOAD", "@element"~="T0873","PROJECT_FILE_INFECTION", "@element"~="T0886","REMOTE_SERVICES", "@element"~="T0846","REMOTE_SYSTEM_DISCOVERY", "@element"~="T0888","REMOTE_SYSTEM_INFORMATION_DISCOVERY", "@element"~="T0847","REPLICATION_THROUGH_REMOVABLE_MEDIA", "@element"~="T0848","ROGUE_MASTER", "@element"~="T0851","ROOTKIT", "@element"~="T0852","SCREEN_CAPTURE", "@element"~="T0853","SCRIPTING", "@element"~="T0881","SERVICE_STOP", "@element"~="T0865","SPEARPHISHING_ATTACHMENT", "@element"~="T0856","SPOOF_REPORTING_MESSAGE", "@element"~="T0869","STANDARD_APPLICATION_LAYER_PROTOCOL", "@element"~="T0862","SUPPLY_CHAIN_COMPROMISE", "@element"~="T0894","SYSTEM_BINARY_PROXY_EXECUTION", "@element"~="T0857","SYSTEM_FIRMWARE", "@element"~="T0882","THEFT_OF_OPERATIONAL_INFORMATION", "@element"~="T0864","TRANSIENT_CYBER_ASSET", "@element"~="T0855","UNAUTHORIZED_COMMAND_MESSAGE", "@element"~="T0863","USER_EXECUTION", "@element"~="T0859","VALID_ACCOUNTS","@element")),
xdm.alert.category = ProductComponentName,
xdm.event.original_event_type = ProviderName,
xdm.network.http.method = if(ExtendedProperties_Http_Method = "GET", XDM_CONST.Http_Method_GET, ExtendedProperties_Http_Method = "POST", XDM_CONST.Http_Method_POST, ExtendedProperties_Http_Method = "PUT", XDM_CONST.Http_Method_PUT, ExtendedProperties_Http_Method = "OPTIONS", XDM_CONST.Http_Method_OPTIONS, ExtendedProperties_Http_Method = "CONNECT", XDM_CONST.Http_Method_CONNECT, ExtendedProperties_Http_Method = "ACL", XDM_CONST.Http_Method_ACL, ExtendedProperties_Http_Method = "BASELINE_CONTROL", XDM_CONST.Http_Method_BASELINE_CONTROL, ExtendedProperties_Http_Method = "BIND", XDM_CONST.Http_Method_BIND, ExtendedProperties_Http_Method = "CHECKIN", XDM_CONST.Http_Method_CHECKIN, ExtendedProperties_Http_Method = "CHECKOUT", XDM_CONST.Http_Method_CHECKOUT, ExtendedProperties_Http_Method = "COPY", XDM_CONST.Http_Method_COPY, ExtendedProperties_Http_Method = "DELETE", XDM_CONST.Http_Method_DELETE, ExtendedProperties_Http_Method = "HEAD", XDM_CONST.Http_Method_HEAD, ExtendedProperties_Http_Method = "LABEL", XDM_CONST.Http_Method_LABEL, ExtendedProperties_Http_Method = "LINK", XDM_CONST.Http_Method_LINK, ExtendedProperties_Http_Method = "LOCK", XDM_CONST.Http_Method_LOCK, ExtendedProperties_Http_Method = "MERGE", XDM_CONST.Http_Method_MERGE, ExtendedProperties_Http_Method = "MKACTIVITY", XDM_CONST.Http_Method_MKACTIVITY, ExtendedProperties_Http_Method = "MKCALENDAR", XDM_CONST.Http_Method_MKCALENDAR, ExtendedProperties_Http_Method = "MKCOL", XDM_CONST.Http_Method_MKCOL, ExtendedProperties_Http_Method = "MKREDIRECTREF", XDM_CONST.Http_Method_MKREDIRECTREF, ExtendedProperties_Http_Method = "MKWORKSPACE", XDM_CONST.Http_Method_MKWORKSPACE, ExtendedProperties_Http_Method = "MOVE", XDM_CONST.Http_Method_MOVE, ExtendedProperties_Http_Method = "ORDERPATCH", XDM_CONST.Http_Method_ORDERPATCH, ExtendedProperties_Http_Method = "PATCH", XDM_CONST.Http_Method_PATCH, ExtendedProperties_Http_Method = "PRI", XDM_CONST.Http_Method_PRI, ExtendedProperties_Http_Method = "PROPFIND", XDM_CONST.Http_Method_PROPFIND, ExtendedProperties_Http_Method = "PROPPATCH", XDM_CONST.Http_Method_PROPPATCH, ExtendedProperties_Http_Method = "REBIND", XDM_CONST.Http_Method_REBIND, ExtendedProperties_Http_Method = "REPORT", XDM_CONST.Http_Method_REPORT, ExtendedProperties_Http_Method = "SEARCH", XDM_CONST.Http_Method_SEARCH, ExtendedProperties_Http_Method = "TRACE", XDM_CONST.Http_Method_TRACE, ExtendedProperties_Http_Method = "UNBIND", XDM_CONST.Http_Method_UNBIND, ExtendedProperties_Http_Method = "UNCHECKOUT", XDM_CONST.Http_Method_UNCHECKOUT, ExtendedProperties_Http_Method = "UNLINK", XDM_CONST.Http_Method_UNLINK, ExtendedProperties_Http_Method = "UNLOCK", XDM_CONST.Http_Method_UNLOCK, ExtendedProperties_Http_Method = "UPDATE", XDM_CONST.Http_Method_UPDATE, ExtendedProperties_Http_Method = "UPDATEREDIRECTREF", XDM_CONST.Http_Method_UPDATEREDIRECTREF, ExtendedProperties_Http_Method = "VERSION_CONTROL", XDM_CONST.Http_Method_VERSION_CONTROL, null),
xdm.target.host.os = Entities_host_OS;
42 changes: 41 additions & 1 deletion ...MicrosoftDefenderForCloudModelingRules/MicrosoftDefenderForCloudModelingRules_schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,46 @@
"SystemAlertId": {
"type": "string",
"is_array": false
},
"ProductName": {
"type": "string",
"is_array": false
},
"ProductComponentName": {
"type": "string",
"is_array": false
},
"AlertSeverity": {
"type": "string",
"is_array": false
},
"Tactics": {
"type": "string",
"is_array": false
},
"Techniques": {
"type": "string",
"is_array": false
},
"DestinationDeviceAddress": {
"type": "string",
"is_array": false
},
"ProviderName": {
"type": "string",
"is_array": false
},
"AlertName": {
"type": "string",
"is_array": false
},
"SourceDeviceAddress": {
"type": "string",
"is_array": false
},
"VendorOriginalId": {
"type": "string",
"is_array": false
}
}
}
}
6 changes: 6 additions & 0 deletions Packs/AzureSecurityCenter/ReleaseNotes/2_0_36.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Modeling Rules

##### Defender For Cloud Microsoft Modeling Rule

Improved implementation of Cortex Data Model (XDM) mapping for Azure Defender For IOT.
2 changes: 1 addition & 1 deletion Packs/AzureSecurityCenter/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Microsoft Defender for Cloud",
"description": "Unified security management and advanced threat protection across hybrid cloud workloads.",
"support": "xsoar",
"currentVersion": "2.0.35",
"currentVersion": "2.0.36",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading