Skip to content

Commit fa70efa

Browse files
briandelmsftbriandelmsft
authored
Merge pull request #495 from briandelmsft/exposure_module
v2.2 Release - Exposure Module, Unsynced entity enrichment
2 parents 388fdcf + 2fb4d57 commit fa70efa

File tree

7 files changed

+166
-87
lines changed

7 files changed

+166
-87
lines changed

Connector/connector.json

Lines changed: 157 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
}
3131
},
3232
"variables": {
33-
"STATConnectorVersion": "2.1.0"
33+
"STATConnectorVersion": "2.2.0"
3434
},
3535
"resources": [
3636
{
@@ -760,6 +760,162 @@
760760
}
761761
}
762762
},
763+
"/api/modules/deviceexposure": {
764+
"post": {
765+
"summary": "Device Exposure Module",
766+
"description": "Sentinel Triage AssistanT Module for reviewing Device Exposure Risks",
767+
"operationId": "DeviceExposureModule",
768+
"parameters": [
769+
{
770+
"name": "body",
771+
"in": "body",
772+
"schema": {
773+
"type": "object",
774+
"properties": {
775+
"AddIncidentComments": {
776+
"type": "boolean",
777+
"description": "Add Comments to Microsoft Sentinel Incident",
778+
"title": "",
779+
"enum": [
780+
true,
781+
false
782+
],
783+
"x-ms-visibility": "advanced"
784+
},
785+
"AddIncidentTags": {
786+
"type": "boolean",
787+
"description": "Add Tags to Microsoft Sentinel Incident",
788+
"title": "",
789+
"enum": [
790+
true,
791+
false
792+
],
793+
"x-ms-visibility": "advanced"
794+
},
795+
"AddIncidentTask": {
796+
"type": "boolean",
797+
"description": "Add a task to Microsoft Sentinel Incident",
798+
"title": "",
799+
"enum": [
800+
true,
801+
false
802+
],
803+
"x-ms-visibility": "advanced"
804+
},
805+
"IncidentTaskInstructions": {
806+
"type": "string",
807+
"description": "Instructions to include in the Microsoft Sentinel Task",
808+
"x-ms-visibility": "advanced"
809+
},
810+
"BaseModuleBody": {
811+
"type": "object",
812+
"description": "Body from STAT Base Module",
813+
"title": "",
814+
"x-ms-visibility": "important"
815+
}
816+
},
817+
"default": {
818+
"AddIncidentComments": true,
819+
"Entities": ""
820+
},
821+
"required": [
822+
"BaseModuleBody"
823+
]
824+
},
825+
"required": true
826+
}
827+
],
828+
"responses": {
829+
"default": {
830+
"description": "default",
831+
"schema": {
832+
"type": "object",
833+
"description": "Device Exposure Module",
834+
"properties": {
835+
}
836+
}
837+
}
838+
}
839+
}
840+
},
841+
"/api/modules/userexposure": {
842+
"post": {
843+
"summary": "User Exposure Module",
844+
"description": "Sentinel Triage AssistanT Module for evaulating User exposure.",
845+
"operationId": "UserExposureModule",
846+
"parameters": [
847+
{
848+
"name": "body",
849+
"in": "body",
850+
"schema": {
851+
"type": "object",
852+
"properties": {
853+
"AddIncidentComments": {
854+
"type": "boolean",
855+
"description": "Add Comments to Microsoft Sentinel Incident",
856+
"title": "",
857+
"enum": [
858+
true,
859+
false
860+
],
861+
"x-ms-visibility": "advanced"
862+
},
863+
"AddIncidentTags": {
864+
"type": "boolean",
865+
"description": "Add Tags to Microsoft Sentinel Incident",
866+
"title": "",
867+
"enum": [
868+
true,
869+
false
870+
],
871+
"x-ms-visibility": "advanced"
872+
},
873+
"AddIncidentTask": {
874+
"type": "boolean",
875+
"description": "Add a task to Microsoft Sentinel Incident",
876+
"title": "",
877+
"enum": [
878+
true,
879+
false
880+
],
881+
"x-ms-visibility": "advanced"
882+
},
883+
"IncidentTaskInstructions": {
884+
"type": "string",
885+
"description": "Instructions to include in the Microsoft Sentinel Task",
886+
"x-ms-visibility": "advanced"
887+
},
888+
"BaseModuleBody": {
889+
"type": "object",
890+
"description": "Body from STAT Base Module",
891+
"title": "",
892+
"x-ms-visibility": "important"
893+
}
894+
},
895+
"default": {
896+
"AddIncidentComments": true,
897+
"Entities": ""
898+
},
899+
"required": [
900+
"BaseModuleBody"
901+
]
902+
},
903+
"required": true
904+
}
905+
],
906+
"responses": {
907+
"default": {
908+
"description": "default",
909+
"schema": {
910+
"type": "object",
911+
"description": "User Exposure Module Body",
912+
"properties": {
913+
}
914+
}
915+
}
916+
}
917+
}
918+
},
763919
"/api/modules/threatintel": {
764920
"post": {
765921
"summary": "Threat Intel Module",

Deploy/deployui.json

Lines changed: 2 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -462,36 +462,6 @@
462462
}
463463
],
464464
"visible": "[if(equals(steps('apiStep').api, 'custom'), true, false)]"
465-
},
466-
{
467-
"name": "apiTextBlock5",
468-
"type": "Microsoft.Common.TextBlock",
469-
"visible": true,
470-
"options": {
471-
"text": "Microsoft Defender for Cloud Apps API uses a tenant specific endpoint which must be entered to use that module.",
472-
"link": {
473-
"label": "Learn more",
474-
"uri": "https://learn.microsoft.com/defender-cloud-apps/api-introduction#api-url-structure"
475-
}
476-
}
477-
},
478-
{
479-
"name": "mdcaApi",
480-
"type": "Microsoft.Common.TextBox",
481-
"label": "Microsoft Defender for Cloud Apps API",
482-
"placeholder": "*.*.portal.cloudappsecurity.com",
483-
"defaultValue": "",
484-
"toolTip": "Microsoft Defender for Cloud Apps API Endpoint",
485-
"constraints": {
486-
"required": true,
487-
"validations": [
488-
{
489-
"regex": "(^(?![hH][tT][tT][pP][sS]?:\/\/)).*",
490-
"message": "Enter only the hostname, such as org.region.cloudappsecurity.com, do not include the https:// prefix."
491-
}
492-
]
493-
},
494-
"visible": true
495465
}
496466
]
497467
},
@@ -546,7 +516,7 @@
546516
"type": "Microsoft.Common.TextBox",
547517
"label": "STAT Function ZIP Package",
548518
"placeholder": "",
549-
"defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip",
519+
"defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.2.0/stat.zip",
550520
"toolTip": "Full path to the STAT Function ZIP deployment package",
551521
"constraints": {
552522
"required": true,
@@ -580,11 +550,10 @@
580550
"STATConnectorName": "[coalesce(steps('namingStep').customNaming.statConnectorName, 'SentinelTriageAssistantv2')]",
581551
"STATConnectorDisplayName": "[coalesce(steps('namingStep').customNaming.statConnectorDisplayName, 'STAT v2')]",
582552
"storageAccountType": "Standard_LRS",
583-
"FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip')]",
553+
"FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.2.0/stat.zip')]",
584554
"MSGraphEndpoint": "[coalesce(steps('apiStep').customApi.graphApi,'graph.microsoft.com')]",
585555
"M365Endpoint": "[coalesce(steps('apiStep').customApi.m365Api,'api.security.microsoft.com')]",
586556
"MDEEndpoint": "[coalesce(steps('apiStep').customApi.mdeApi,'api.securitycenter.microsoft.com')]",
587-
"MDCAEndpoint": "[steps('apiStep').mdcaApi]",
588557
"LogAnalyticsEndpoint": "[coalesce(steps('apiStep').customApi.laApi,'api.loganalytics.io')]",
589558
"AzureResourceManagerEndpoint": "[coalesce(steps('apiStep').customApi.armApi,'management.azure.com')]",
590559
"ServicePrincipalClientId": "[coalesce(steps('identityStep').spId.clientId,steps('identityStep').userId.clientId, 'none')]",

Deploy/statdeploy.json

Lines changed: 5 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -66,13 +66,6 @@
6666
"description": "Microsoft Defender for Endpoint API endpoint"
6767
}
6868
},
69-
"MDCAEndpoint": {
70-
"type": "string",
71-
"defaultValue": "",
72-
"metadata": {
73-
"description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint"
74-
}
75-
},
7669
"LogAnalyticsEndpoint": {
7770
"type": "string",
7871
"defaultValue": "api.loganalytics.io",
@@ -137,7 +130,10 @@
137130
"sku": {
138131
"name": "[parameters('storageAccountType')]"
139132
},
140-
"kind": "Storage"
133+
"kind": "Storage",
134+
"properties": {
135+
"allowBlobPublicAccess": false
136+
}
141137
},
142138
{
143139
"type": "Microsoft.Web/serverfarms",
@@ -191,9 +187,6 @@
191187
"MDEEndpoint": {
192188
"value": "[parameters('MDEEndpoint')]"
193189
},
194-
"MDCAEndpoint": {
195-
"value": "[parameters('MDCAEndpoint')]"
196-
},
197190
"LogAnalyticsEndpoint": {
198191
"value": "[parameters('LogAnalyticsEndpoint')]"
199192
},
@@ -267,9 +260,6 @@
267260
"MDEEndpoint": {
268261
"value": "[parameters('MDEEndpoint')]"
269262
},
270-
"MDCAEndpoint": {
271-
"value": "[parameters('MDCAEndpoint')]"
272-
},
273263
"LogAnalyticsEndpoint": {
274264
"value": "[parameters('LogAnalyticsEndpoint')]"
275265
},
@@ -337,9 +327,6 @@
337327
"MDEEndpoint": {
338328
"value": "[parameters('MDEEndpoint')]"
339329
},
340-
"MDCAEndpoint": {
341-
"value": "[parameters('MDCAEndpoint')]"
342-
},
343330
"LogAnalyticsEndpoint": {
344331
"value": "[parameters('LogAnalyticsEndpoint')]"
345332
},
@@ -379,4 +366,4 @@
379366
],
380367
"outputs": {
381368
}
382-
}
369+
}

Function/ServicePrincipalIdentity.json

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,6 @@
4747
"description": "Microsoft Defender for Endpoint API endpoint"
4848
}
4949
},
50-
"MDCAEndpoint": {
51-
"type": "string",
52-
"defaultValue": "",
53-
"metadata": {
54-
"description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint"
55-
}
56-
},
5750
"LogAnalyticsEndpoint": {
5851
"type": "string",
5952
"defaultValue": "api.loganalytics.io",
@@ -162,10 +155,6 @@
162155
"name": "MDE_ENDPOINT",
163156
"value": "[parameters('MDEEndpoint')]"
164157
},
165-
{
166-
"name": "MDCA_ENDPOINT",
167-
"value": "[parameters('MDCAEndpoint')]"
168-
},
169158
{
170159
"name": "AZURE_CLIENT_ID",
171160
"value": "[parameters('ServicePrincipalClientId')]"

Function/SystemIdentity.json

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,6 @@
4747
"description": "Microsoft Defender for Endpoint API endpoint"
4848
}
4949
},
50-
"MDCAEndpoint": {
51-
"type": "string",
52-
"defaultValue": "",
53-
"metadata": {
54-
"description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint"
55-
}
56-
},
5750
"LogAnalyticsEndpoint": {
5851
"type": "string",
5952
"defaultValue": "api.loganalytics.io",
@@ -150,10 +143,6 @@
150143
"name": "MDE_ENDPOINT",
151144
"value": "[parameters('MDEEndpoint')]"
152145
},
153-
{
154-
"name": "MDCA_ENDPOINT",
155-
"value": "[parameters('MDCAEndpoint')]"
156-
},
157146
{
158147
"name": "AZURE_TENANT_ID",
159148
"value": "[parameters('AADTenantId')]"

Function/UserAssignedIdentity.json

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,6 @@
4747
"description": "Microsoft Defender for Endpoint API endpoint"
4848
}
4949
},
50-
"MDCAEndpoint": {
51-
"type": "string",
52-
"defaultValue": "",
53-
"metadata": {
54-
"description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint"
55-
}
56-
},
5750
"LogAnalyticsEndpoint": {
5851
"type": "string",
5952
"defaultValue": "api.loganalytics.io",
@@ -162,10 +155,6 @@
162155
"name": "MDE_ENDPOINT",
163156
"value": "[parameters('MDEEndpoint')]"
164157
},
165-
{
166-
"name": "MDCA_ENDPOINT",
167-
"value": "[parameters('MDCAEndpoint')]"
168-
},
169158
{
170159
"name": "AZURE_CLIENT_ID",
171160
"value": "[parameters('ServicePrincipalClientId')]"

Modules/versions.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@
99
"RelatedAlerts": "0.3.0",
1010
"RunPlaybook": "0.0.1",
1111
"ScoringModule": "0.1.0",
12-
"STATConnector": "2.1.0",
13-
"STATFunction": "2.1.0",
12+
"STATConnector": "2.2.0",
13+
"STATFunction": "2.2.0",
1414
"TIModule": "0.2.0",
1515
"UEBAModule": "0.1.1",
1616
"WatchlistModule": "0.1.0"

0 commit comments

Comments
 (0)