squaredup
diff --git a/‎plugins/MicrosoftDefender/v1/configValidation.json‎
Lines changed: 30 additions & 0 deletions b/‎plugins/MicrosoftDefender/v1/configValidation.json‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎plugins/MicrosoftDefender/v1/custom_types.json‎
Lines changed: 9 additions & 0 deletions b/‎plugins/MicrosoftDefender/v1/custom_types.json‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json‎
Lines changed: 77 additions & 0 deletions b/‎plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json‎
Lines changed: 52 additions & 0 deletions b/‎plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎plugins/MicrosoftDefender/v1/dataStreams/alerts.json‎
Lines changed: 218 additions & 0 deletions b/‎plugins/MicrosoftDefender/v1/dataStreams/alerts.json‎
Lines changed: 218 additions & 0 deletions
@@ -0,0 +1,30 @@
+{
+    "steps": [
+        {
+            "displayName": "Alerts access",
+            "dataStream": { "name": "validationAlerts" },
+            "success": "Successfully read alerts.",
+            "error": "Cannot read alerts. Grant the 'SecurityAlert.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret.",
+            "required": true
+        },
+        {
+            "displayName": "Incidents access",
+            "dataStream": { "name": "validationIncidents" },
+            "success": "Successfully read incidents.",
+            "error": "Cannot read incidents. Grant the 'SecurityIncident.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret."
+        },
+        {
+            "displayName": "Advanced hunting access",
+            "dataStream": { "name": "validationHunting" },
+            "success": "Successfully ran an advanced hunting query.",
+            "error": "Cannot run advanced hunting queries. Grant the 'ThreatHunting.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret.",
+            "required": true
+        },
+        {
+            "displayName": "Secure score access",
+            "dataStream": { "name": "validationSecureScore" },
+            "success": "Successfully read secure scores.",
+            "error": "Cannot read secure scores. Grant the 'SecurityEvents.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret."
+        }
+    ]
+}
@@ -0,0 +1,9 @@
+[
+    {
+        "name": "Device",
+        "sourceType": "Device",
+        "icon": "desktop",
+        "singular": "Device",
+        "plural": "Devices"
+    }
+]
@@ -0,0 +1,77 @@
+{
+    "name": "Vulnerabilities",
+    "displayName": "Vulnerabilities",
+    "description": "Returns vulnerabilities data for the specified device",
+    "baseDataSourceName": "httpRequestScoped",
+    "config": {
+        "httpMethod": "post",
+        "errorHandling": {
+            "type": "default"
+        },
+        "paging": {
+            "mode": "none"
+        },
+        "expandInnerObjects": true,
+        "endpointPath": "runHuntingQuery",
+        "postBody": {
+            "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.rawId}\"`}).join(\",\")}})",
+            "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
+        },
+        "pathToData": "results",
+        "getArgs": [],
+        "headers": []
+    },
+    "metadata": [
+        {
+            "name": "CveGuide",
+            "displayName": "Cve Id",
+            "valueExpression": "{{ $['CveId'] ? `https://msrc.microsoft.com/update-guide/vulnerability/${$['CveId']}` : '' }}",
+            "formatExpression": "{{ $['CveId'] }}",
+            "shape": "url",
+            "computed": true
+        },
+        {
+            "name": "CveId",
+            "displayName": "CVE Id",
+            "shape": "string",
+            "visible": false,
+            "role": "label"
+        },
+        {
+            "name": "VulnerabilitySeverityLevel",
+            "displayName": "Severity",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "SoftwareName",
+            "displayName": "Affected Software",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "CveTags",
+            "displayName": "Tags",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "sourceId": "DeviceId",
+            "name": "DeviceName",
+            "shape": "string",
+            "visible": false,
+            "role": "label",
+            "sourceType": "Device"
+        }
+    ],
+    "matches": {
+        "sourceType": {
+            "type": "equals",
+            "value": "Device"
+        }
+    },
+    "timeframes": false,
+    "providesPluginDiagnostics": true,
+    "objectLimit": 1,
+    "tags": []
+}
@@ -0,0 +1,52 @@
+{
+    "name": "advancedHuntingQuery",
+    "displayName": "Advanced Hunting Query",
+    "description": "Queries a specified set of data supported by Defender to proactively look for specific threats in your environment",
+    "baseDataSourceName": "httpRequestUnscoped",
+    "config": {
+        "httpMethod": "post",
+        "errorHandling": {
+            "type": "default"
+        },
+        "paging": {
+            "mode": "none"
+        },
+        "expandInnerObjects": true,
+        "endpointPath": "runHuntingQuery",
+        "postBody": {
+            "Query": "{{query}}",
+            "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
+        },
+        "pathToData": "results",
+        "getArgs": [],
+        "headers": []
+    },
+    "timeframes": [
+        "last1hour",
+        "last12hours",
+        "last24hours",
+        "last7days",
+        "last30days",
+        "thisMonth",
+        "thisQuarter",
+        "thisYear",
+        "lastMonth",
+        "lastQuarter",
+        "lastYear"
+    ],
+    "supportsNoneTimeframe": true,
+    "providesPluginDiagnostics": true,
+    "manualConfigApply": true,
+    "tags": [],
+    "ui": [
+        {
+            "name": "query",
+            "language": "kusto",
+            "label": "Query",
+            "type": "code",
+            "validation": {
+                "required": true
+            }
+        }
+    ]
+}
@@ -0,0 +1,218 @@
+{
+    "name": "alerts",
+    "displayName": "Alerts",
+    "description": "Returns a list of alert resources created to track suspicious activities in an organization",
+    "baseDataSourceName": "httpRequestUnscoped",
+    "config": {
+        "httpMethod": "get",
+        "errorHandling": {
+            "type": "default"
+        },
+        "paging": {
+            "mode": "nextUrl",
+            "pageSize": {
+                "realm": {
+                    "value": "none",
+                    "label": "none"
+                }
+            },
+            "in": {
+                "realm": {
+                    "value": "payload",
+                    "label": "payload"
+                },
+                "path": "@odata.nextLink"
+            }
+        },
+        "expandInnerObjects": true,
+        "endpointPath": "alerts_v2",
+        "pathToData": "value",
+        "getArgs": [
+            {
+                "key": "$filter",
+                "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}"
+            }
+        ],
+        "headers": []
+    },
+    "metadata": [
+        {
+            "name": "title",
+            "displayName": "Alert Name",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "systemTags",
+            "displayName": "System Tags",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "severity",
+            "displayName": "Severity",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "status",
+            "displayName": "Status",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "category",
+            "displayName": "Category",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "detectionSource",
+            "displayName": "Detection Source",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "firstActivityDateTime",
+            "displayName": "First Activity",
+            "shape": "date",
+            "role": "label"
+        },
+        {
+            "name": "lastActivityDateTime",
+            "displayName": "Last Activity",
+            "shape": "date",
+            "role": "label"
+        },
+        {
+            "name": "classification",
+            "displayName": "Classification",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "determination",
+            "displayName": "Determination",
+            "shape": "string",
+            "role": "label"
+        },
+        {
+            "name": "assignedTo",
+            "displayName": "Assigned To",
+            "shape": "string",
+            "role": "label"
+        }
+    ],
+    "timeframes": [
+        "last1hour",
+        "last12hours",
+        "last24hours",
+        "last7days",
+        "last30days",
+        "thisMonth",
+        "thisQuarter",
+        "thisYear",
+        "lastMonth",
+        "lastQuarter",
+        "lastYear"
+    ],
+    "supportsNoneTimeframe": true,
+    "manualConfigApply": true,
+    "providesPluginDiagnostics": true,
+    "tags": [],
+    "ui": [
+        {
+            "name": "severity",
+            "label": "Severity",
+            "type": "autocomplete",
+            "data": {
+                "source": "fixed",
+                "values": [
+                    {
+                        "value": "low",
+                        "label": "Low"
+                    },
+                    {
+                        "value": "medium",
+                        "label": "Medium"
+                    },
+                    {
+                        "value": "high",
+                        "label": "High"
+                    },
+                    {
+                        "value": "informational",
+                        "label": "Informational"
+                    },
+                    {
+                        "value": "unknown",
+                        "label": "Unknown"
+                    },
+                    {
+                        "value": "unknownFutureValue",
+                        "label": "Unknown Future Value"
+                    }
+                ]
+            },
+            "isClearable": true
+        },
+        {
+            "name": "status",
+            "label": "Status",
+            "type": "autocomplete",
+            "data": {
+                "source": "fixed",
+                "values": [
+                    {
+                        "value": "newAlert",
+                        "label": "New"
+                    },
+                    {
+                        "value": "inProgress",
+                        "label": "In Progress"
+                    },
+                    {
+                        "value": "resolved",
+                        "label": "Resolved"
+                    },
+                    {
+                        "value": "unknown",
+                        "label": "Unknown"
+                    },
+                    {
+                        "value": "unknownFutureValue",
+                        "label": "Unknown Future Value"
+                    }
+                ]
+            },
+            "isClearable": true
+        },
+        {
+            "tileEditorStep": ["Timeframe"],
+            "isMulti": false,
+            "help": "Select the column to apply the timeframe",
+            "data": {
+                "source": "fixed",
+                "values": [
+                    {
+                        "value": "createdDateTime",
+                        "label": "Creation Time"
+                    },
+                    {
+                        "value": "lastActivityDateTime",
+                        "label": "Last Activity Time"
+                    },
+                    {
+                        "value": "lastUpdateDateTime",
+                        "label": "Last Update Time"
+                    }
+                ]
+            },
+            "defaultValue": "createdDateTime",
+            "name": "timeframeCol",
+            "label": "Timeframe Column",
+            "type": "autocomplete",
+            "isClearable": false
+        }
+    ]
+}