diff --git a/plugins/MicrosoftDefender/v1/configValidation.json b/plugins/MicrosoftDefender/v1/configValidation.json new file mode 100644 index 0000000..d9c93aa --- /dev/null +++ b/plugins/MicrosoftDefender/v1/configValidation.json @@ -0,0 +1,13 @@ +{ + "steps": [ + { + "displayName": "API Access Test", + "dataStream": { + "name": "validation" + }, + "success": "Successfully connected to Endpoint", + "error": "Cannot access the Endpoint API - check your client ID & secret. Do you have the correct permissions set?", + "required": true + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/custom_types.json b/plugins/MicrosoftDefender/v1/custom_types.json new file mode 100644 index 0000000..e7aa71f --- /dev/null +++ b/plugins/MicrosoftDefender/v1/custom_types.json @@ -0,0 +1,9 @@ +[ + { + "name": "device", + "sourceType": "device", + "icon": "server", + "singular": "Device", + "plural": "Devices" + } +] \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json b/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json new file mode 100644 index 0000000..218c04e --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json @@ -0,0 +1,44 @@ +{ + "name": "Vulnerabilities", + "displayName": "Vulnerabilities", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}})", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "sourceId": "DeviceId", + "name": "DeviceName", + "shape": "string", + "role": "label", + "sourceType": "device" + }, + { + "pattern": ".*" + } + ], + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": false, + "providesPluginDiagnostics": true, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json b/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json new file mode 100644 index 0000000..65ef643 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json @@ -0,0 +1,51 @@ +{ + "name": "advancedHuntingQuery", + "displayName": "Advanced Hunting Query", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "{{query}}", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "tags": [], + "ui": [ + { + "name": "query", + "language": "kusto", + "label": "Query", + "type": "code", + "validation": { + "required": true + } + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/alerts.json b/plugins/MicrosoftDefender/v1/dataStreams/alerts.json new file mode 100644 index 0000000..eb0015a --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/alerts.json @@ -0,0 +1,144 @@ +{ + "name": "alerts", + "displayName": "Alerts", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "nextUrl", + "pageSize": { + "realm": { + "value": "none", + "label": "none" + } + }, + "in": { + "realm": { + "value": "payload", + "label": "payload" + }, + "path": "@odata.nextLink" + } + }, + "expandInnerObjects": true, + "endpointPath": "alerts", + "pathToData": "value", + "getArgs": [ + { + "key": "$filter", + "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}" + } + ], + "headers": [] + }, + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "manualConfigApply": true, + "providesPluginDiagnostics": true, + "tags": [], + "ui": [ + { + "name": "severity", + "label": "Severity", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "low", + "label": "Low" + }, + { + "value": "medium", + "label": "Medium" + }, + { + "value": "high", + "label": "High" + }, + { + "value": "informational", + "label": "Informational" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + } + ] + }, + "isClearable": true + }, + { + "name": "status", + "label": "Status", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "new", + "label": "New" + }, + { + "value": "inProgress", + "label": "In Progress" + }, + { + "value": "resolved", + "label": "Resolved" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + } + ] + }, + "isClearable": true + }, + { + "isMulti": false, + "help": "Select the column to apply the timeframe", + "data": { + "source": "fixed", + "values": [ + { + "value": "createdDateTime", + "label": "Creation Time" + }, + { + "value": "lastUpdateDateTime", + "label": "Last Update Time" + } + ] + }, + "defaultValue": "createdDateTime", + "name": "timeframeCol", + "label": "Timeframe Column", + "type": "autocomplete", + "isClearable": false + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/devices.json b/plugins/MicrosoftDefender/v1/dataStreams/devices.json new file mode 100644 index 0000000..13ced7c --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/devices.json @@ -0,0 +1,64 @@ +{ + "name": "devices", + "displayName": "Devices", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceInfo | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | summarize arg_max(Timestamp, *) by DeviceId" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "sourceId": "DeviceId", + "name": "DeviceName", + "shape": "string", + "role": "label", + "sourceType": "device" + }, + { + "shape": [ + "state", + { + "map": { + "unmonitored": [], + "unknown": [], + "error": [ + "High" + ], + "warning": [ + "Medium" + ], + "success": [ + "Low" + ] + } + } + ], + "name": "ExposureLevel" + }, + { + "pattern": ".*" + } + ], + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": false, + "providesPluginDiagnostics": true, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/incidents.json b/plugins/MicrosoftDefender/v1/dataStreams/incidents.json new file mode 100644 index 0000000..cc76b96 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/incidents.json @@ -0,0 +1,152 @@ +{ + "name": "incidents", + "displayName": "Incidents", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "nextUrl", + "pageSize": { + "realm": { + "value": "none", + "label": "None" + } + }, + "in": { + "realm": { + "value": "payload", + "label": "Body" + }, + "path": "@odata.nextLink" + } + }, + "expandInnerObjects": true, + "endpointPath": "incidents", + "pathToData": "value", + "getArgs": [ + { + "key": "$filter", + "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}" + } + ], + "headers": [] + }, + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "tags": [], + "ui": [ + { + "name": "severity", + "label": "Severity", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "low", + "label": "Low" + }, + { + "value": "medium", + "label": "Medium" + }, + { + "value": "high", + "label": "High" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + }, + { + "value": "new", + "label": "New" + }, + { + "value": "informational", + "label": "Informational" + } + ] + }, + "isClearable": true + }, + { + "name": "status", + "label": "Status", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "active", + "label": "Active" + }, + { + "value": "resolved", + "label": "Resolved" + }, + { + "value": "inProgress", + "label": "In Progress" + }, + { + "value": "redirected", + "label": "Redirected" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + }, + { + "value": "awaitingAction", + "label": "Awaiting Action" + } + ] + }, + "isClearable": true + }, + { + "isMulti": false, + "help": "Select the column to apply the timeframe", + "data": { + "source": "fixed", + "values": [ + { + "value": "createdDateTime", + "label": "Creation Time" + }, + { + "value": "lastUpdateDateTime", + "label": "Last Update Time" + } + ] + }, + "defaultValue": "createdDateTime", + "name": "timeframeCol", + "label": "Timeframe Column", + "type": "autocomplete", + "isClearable": false + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json b/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json new file mode 100644 index 0000000..4cb0ffc --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json @@ -0,0 +1,29 @@ +{ + "name": "listDevices", + "displayName": "List Devices", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "timeframes": false, + "tags": [], + "visibility": { + "type": "hidden" + } +} diff --git a/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json b/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json new file mode 100644 index 0000000..cd1d7ec --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json @@ -0,0 +1,32 @@ +{ + "name": "recommendations", + "displayName": "Recommendations", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceTvmSecureConfigurationAssessment | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId | project DeviceId, DeviceName, Timestamp, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationImpact, RiskDescription, RemediationOptions, IsApplicable, IsCompliant, Tags", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": false, + "providesPluginDiagnostics": true, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json b/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json new file mode 100644 index 0000000..07b03b1 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json @@ -0,0 +1,49 @@ +{ + "name": "secureScoreHistory", + "displayName": "Secure Score History", + "description": "Retrieves the current tenant's Secure Score data from the past 90 days", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "offset", + "pageSize": { + "realm": { + "value": "queryArg", + "label": "Query parameter" + }, + "path": "$top", + "value": "100" + }, + "offset": { + "rowCountIn": { + "realm": { + "value": "payloadArraySize", + "label": "Body array size" + }, + "path": "value" + }, + "mode": "row", + "base": "0" + }, + "out": { + "realm": { + "value": "queryArg", + "label": "queryArg" + }, + "path": "$skip" + } + }, + "expandInnerObjects": true, + "endpointPath": "secureScores", + "pathToData": "value", + "getArgs": [], + "headers": [] + }, + "providesPluginDiagnostics": true, + "timeframes": false, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/validation.json b/plugins/MicrosoftDefender/v1/dataStreams/validation.json new file mode 100644 index 0000000..bc27903 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/validation.json @@ -0,0 +1,32 @@ +{ + "name": "validation", + "displayName": "Validation", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "alerts", + "pathToData": "value", + "getArgs": [ + { + "key": "$top", + "value": "1", + "needsEncryption": false + } + ], + "headers": [] + }, + "matches": "none", + "timeframes": false, + "providesPluginDiagnostics": true, + "visibility": { + "type": "hidden" + }, + "options": { "noMatch": true } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json new file mode 100644 index 0000000..7d788bc --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json @@ -0,0 +1,437 @@ +{ + "name": "Device Status", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "a42fe41f-7cbd-42d0-b32e-6d68eb4f016f", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exposure Level", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "ExposureLevel", + "linkColumn": "DeviceName", + "labelColumn": "ExposureLevel[Expanded].rawState" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "b606fb70-4a88-4fdf-9a19-dded55059092", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Inactive" + ], + "unmonitored": [], + "error": [ + "ImpairedCommunication", + "NoSensorData", + "Misconfigured" + ], + "success": [ + "Active" + ], + "unknown": [ + "Unknown" + ] + } + } + ], + "name": "SensorHealthState" + } + ], + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Health State (Sensor)", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "SensorHealthState", + "linkColumn": "DeviceName", + "labelColumn": "SensorHealthState[Expanded].rawState" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "86c6198e-d8a3-456e-a014-fb14a079f058", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Asset Value", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "AssetValue", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 3, + "y": 0, + "i": "951c5d29-1b5c-4509-a83c-70e183ddc881", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Last Seen", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "Timestamp", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 4, + "x": 2, + "y": 3, + "i": "384ae7b5-a86c-46eb-aa43-02057f67f2f3", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Properties", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceId", + "PublicIP", + "ConnectivityType", + "OSPlatform", + "OSBuild", + "OSArchitecture", + "OSVersion", + "OSDistribution", + "OSVersionInfo", + "OsBuildRevision", + "ClientVersion", + "HardwareUuid" + ], + "hiddenColumns": [ + "@odata.context", + "mergedIntoMachineId", + "isPotentialDuplication", + "isExcluded", + "exclusionReason", + "firstSeen", + "lastSeen", + "healthStatus", + "deviceValue", + "rbacGroupId", + "rbacGroupName", + "riskScore", + "exposureLevel", + "isAadJoined", + "aadDeviceId", + "onboardingStatus", + "managedBy", + "managedByStatus", + "ipAddresses.0.ipAddress", + "ipAddresses.0.macAddress", + "ipAddresses.0.type", + "ipAddresses.0.operationalStatus", + "ipAddresses.1.ipAddress", + "ipAddresses.1.macAddress", + "ipAddresses.1.type", + "ipAddresses.1.operationalStatus", + "ipAddresses.2.ipAddress", + "ipAddresses.2.macAddress", + "ipAddresses.2.type", + "ipAddresses.2.operationalStatus", + "ipAddresses.3.ipAddress", + "ipAddresses.3.macAddress", + "ipAddresses.3.type", + "ipAddresses.3.operationalStatus", + "healthStatus[Expanded].rawState", + "computerDnsName", + "exposureLevel[Expanded].rawState", + "Timestamp", + "DeviceName", + "OSBuild@odata.type", + "IsAzureADJoined@odata.type", + "IsAzureADJoined", + "JoinType", + "AadDeviceId", + "LoggedOnUsers", + "RegistryDeviceTag", + "MachineGroup", + "ReportId@odata.type", + "ReportId", + "OnboardingStatus", + "AdditionalFields", + "DeviceCategory", + "DeviceType", + "DeviceSubtype", + "Model", + "Vendor", + "MergedDeviceIds", + "MergedToDeviceId", + "SensorHealthState", + "IsExcluded@odata.type", + "IsExcluded", + "ExclusionReason", + "ExposureLevel", + "AssetValue", + "DeviceManualTags", + "DeviceDynamicTags", + "CloudPlatforms", + "AzureVmId", + "AzureResourceId", + "AzureVmSubscriptionId", + "GcpFullResourceName", + "AwsResourceName", + "IsTransient@odata.type", + "IsTransient", + "HostDeviceId", + "MitigationStatus", + "FirmwareVersions", + "DiscoverySources", + "DlpInfo", + "ExposureLevel[Expanded].rawState" + ], + "transpose": true + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 4, + "x": 0, + "y": 3, + "i": "b0526c96-e0ea-4028-b44b-13c120e5ae83", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[device]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.[device]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[devices]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Attributes", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "hiddenColumns": [ + "DeviceId", + "Timestamp", + "DeviceName", + "ClientVersion", + "PublicIP", + "OSArchitecture", + "OSBuild@odata.type", + "OSBuild", + "IsAzureADJoined@odata.type", + "IsAzureADJoined", + "AadDeviceId", + "LoggedOnUsers", + "RegistryDeviceTag", + "ReportId@odata.type", + "ReportId", + "AdditionalFields", + "DeviceSubtype", + "Model", + "Vendor", + "OSDistribution", + "OSVersionInfo", + "MergedDeviceIds", + "MergedToDeviceId", + "SensorHealthState", + "IsExcluded@odata.type", + "IsExcluded", + "ExclusionReason", + "ExposureLevel", + "DeviceManualTags", + "DeviceDynamicTags", + "HardwareUuid", + "CloudPlatforms", + "AzureVmId", + "AzureResourceId", + "AzureVmSubscriptionId", + "GcpFullResourceName", + "AwsResourceName", + "IsTransient@odata.type", + "IsTransient", + "OsBuildRevision", + "HostDeviceId", + "ConnectivityType", + "DiscoverySources", + "FirmwareVersions", + "ExposureLevel[Expanded].rawState", + "OSPlatform", + "OSVersion", + "DlpInfo" + ], + "transpose": true, + "columnOrder": [ + "DeviceCategory", + "DeviceType", + "AssetValue", + "JoinType", + "MachineGroup", + "OnboardingStatus", + "MitigationStatus" + ], + "columnDisplayNames": {} + } + } + } + } + } + ], + "version": 42, + "columns": 4 + }, + "variables": [ + "{{variables.[device]}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json new file mode 100644 index 0000000..4b56ba1 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json @@ -0,0 +1,12 @@ +{ + "items": [ + { + "name": "overview", + "type": "dashboard" + }, + { + "name": "deviceStatus", + "type": "dashboard" + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/overview.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/overview.dash.json new file mode 100644 index 0000000..0cba9bd --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/overview.dash.json @@ -0,0 +1,175 @@ +{ + "name": "Overview", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 4, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "a42fe41f-7cbd-42d0-b32e-6d68eb4f016f", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}", + "sort": { + "by": [ + [ + "ExposureLevel", + "desc" + ] + ] + } + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exposure Level", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "ExposureLevel", + "linkColumn": "DeviceName", + "sublabel": "ExposureLevel[Expanded].rawState", + "columns": 3, + "labelColumn": "DeviceName" + } + } + } + } + }, + { + "static": false, + "w": 4, + "moved": false, + "h": 4, + "x": 0, + "y": 3, + "i": "e5ec8d5c-4184-46cb-8c61-94913be88729", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "name": "devices", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.devices}}", + "sort": { + "by": [ + [ + "DeviceName", + "asc" + ] + ] + } + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Properties", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceId", + "Timestamp", + "DeviceName", + "ClientVersion", + "PublicIP", + "OSArchitecture", + "OSPlatform", + "OSBuild@odata.type", + "OSBuild", + "IsAzureADJoined@odata.type", + "IsAzureADJoined", + "JoinType", + "AadDeviceId", + "LoggedOnUsers", + "RegistryDeviceTag", + "OSVersion", + "MachineGroup", + "ReportId@odata.type", + "ReportId", + "OnboardingStatus", + "AdditionalFields", + "DeviceCategory", + "DeviceType", + "DeviceSubtype", + "Model", + "Vendor", + "OSDistribution", + "OSVersionInfo", + "MergedDeviceIds", + "MergedToDeviceId", + "SensorHealthState", + "IsExcluded@odata.type", + "IsExcluded", + "ExclusionReason", + "ExposureLevel", + "AssetValue", + "DeviceManualTags", + "DeviceDynamicTags", + "HardwareUuid", + "CloudPlatforms", + "AzureVmId", + "AzureResourceId", + "AzureVmSubscriptionId", + "GcpFullResourceName", + "AwsResourceName", + "IsTransient@odata.type", + "IsTransient", + "OsBuildRevision", + "HostDeviceId", + "MitigationStatus", + "ConnectivityType", + "DiscoverySources", + "FirmwareVersions", + "DlpInfo", + "IsInternetFacing@odata.type", + "IsInternetFacing", + "ExposureLevel[Expanded].rawState" + ], + "hiddenColumns": [] + } + } + } + } + } + ], + "version": 22, + "columns": 4 + }, + "variables": [ + "{{variables.[All Object]}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json new file mode 100644 index 0000000..6cf5700 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json @@ -0,0 +1,406 @@ +{ + "name": "Cockpit", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 0, + "y": 0, + "i": "7a6ca038-e744-488e-8f2f-ad3d86b4e42d", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "secureScoreHistory", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "createdDateTime", + "unit": "days", + "operation": "datewithinlast", + "value": "1" + } + ] + }, + "id": "{{dataStreams.secureScoreHistory}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Current Secure Score", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "currentScore", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 2, + "y": 0, + "i": "bc314cab-b69a-4379-920a-872a3b005c66", + "z": 0, + "config": { + "dataStream": { + "pluginConfigId": "{{configId}}", + "id": "{{dataStreams.devices}}", + "group": { + "by": [ + [ + "ExposureLevel", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "query": "g.V().order().by('__name').hasNot('__canonicalType').or(__.has(\"sourceType\", \"device\")).limit(500)", + "bindings": {}, + "queryDetail": {} + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Exposure State", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "ExposureLevel_uniqueValues", + "showTotals": true, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": false, + "yAxisData": [ + "count" + ], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 0, + "y": 2, + "i": "fe0118a8-d043-4bb4-9907-10b1b29cd486", + "z": 0, + "config": { + "timeframe": "last24hours", + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\r\n| where ActionType in (\"AntivirusDetection\",\"AntivirusDetectionCancelled\",\"AntivirusMalwareActionFailed\")\r\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "monitor": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "__group_by_none__", + "frequency": 15 + }, + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Malware & Antivirus Detected", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": {} + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 1, + "y": 2, + "i": "cf2d60f6-b7cf-4602-bd3c-70f1ef215514", + "z": 0, + "config": { + "timeframe": "last24hours", + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\r\n| where ActionType in (\"UserAccountCreated\",\"ScheduledTaskCreated\",\"ScheduledTaskDeleted\",\"UserAccountModified\",\"UserAccountAddedToLocalGroup\")\r\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "monitor": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "__group_by_none__", + "frequency": 15 + }, + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Persistence & Privilege Escalation", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 2, + "y": 2, + "i": "cf1f3273-caa3-4b96-9e1f-b70c8a207214", + "z": 0, + "config": { + "timeframe": "last24hours", + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\r\n| where ActionType startswith \"AppControl\"\r\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "monitor": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "__group_by_none__", + "frequency": 15 + }, + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Application Control", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 3, + "y": 2, + "i": "21756e83-fc0c-47a8-98f7-7e96e765662b", + "z": 0, + "config": { + "timeframe": "last24hours", + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\r\n| where ActionType in (\"ExploitGuardNetworkProtectionBlocked\",\"ExploitGuardNonMicrosoftSignedBlocked\")\r\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "monitor": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "__group_by_none__", + "frequency": 15 + }, + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exploits", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 4, + "moved": false, + "h": 2, + "x": 0, + "y": 4, + "i": "5c32f4c0-9729-42dd-b3c4-c057f9547092", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "secureScoreHistory", + "id": "{{dataStreams.secureScoreHistory}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Secure Score History", + "visualisation": { + "type": "data-stream-line-graph", + "config": { + "data-stream-line-graph": { + "yAxisLabel": "Secure Score", + "xAxisColumn": "createdDateTime", + "seriesColumn": "none", + "xAxisLabel": "Date", + "dataPoints": false, + "showTrendLine": true, + "yAxisRangeMode": "auto", + "yAxisColumn": [ + "currentScore" + ] + } + } + } + } + } + ], + "version": 49, + "columns": 4 + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/manifest.json b/plugins/MicrosoftDefender/v1/defaultContent/manifest.json new file mode 100644 index 0000000..571fefe --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/manifest.json @@ -0,0 +1,20 @@ +{ + "items": [ + { + "name": "cockpit", + "type": "dashboard" + }, + { + "name": "recommendations", + "type": "dashboard" + }, + { + "name": "vulnerabilities", + "type": "dashboard" + }, + { + "name": "Devices", + "type": "folder" + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/recommendations.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/recommendations.dash.json new file mode 100644 index 0000000..213e15e --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/recommendations.dash.json @@ -0,0 +1,291 @@ +{ + "name": "Recommendations", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "x": 0, + "h": 2, + "y": 0, + "i": "777d4030-bbb1-4d20-a362-eef301140a35", + "z": 0, + "config": { + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + }, + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + } + ] + }, + "id": "{{dataStreams.recommendations}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Active", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "x": 1, + "h": 2, + "y": 0, + "i": "30f6f706-cd44-4396-be7c-e0ca3c7999a7", + "z": 0, + "config": { + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + }, + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + } + ] + }, + "id": "{{dataStreams.recommendations}}", + "group": { + "by": [ + [ + "ConfigurationCategory", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "query": "g.V().order().by('__name').hasNot('__canonicalType').or(__.has(\"sourceType\", \"device\")).limit(500)", + "bindings": {}, + "queryDetail": {} + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Category", + "visualisation": { + "type": "data-stream-donut-chart", + "config": { + "data-stream-donut-chart": { + "valueColumn": "count", + "hideCenterValue": false, + "showValuesAsPercentage": false, + "legendPosition": "right", + "legendMode": "table", + "labelColumn": "ConfigurationCategory_uniqueValues" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "x": 2, + "h": 2, + "y": 0, + "i": "d2e6be29-4c2d-4cb6-8954-ce4d87c94f10", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "name": "recommendations", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + }, + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + } + ] + }, + "id": "{{dataStreams.recommendations}}", + "group": { + "by": [ + [ + "ConfigurationImpact", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "On active recommendations", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Configuration Impact (Severity Score)", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "ConfigurationImpact_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": false, + "yAxisData": [], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 3, + "moved": false, + "x": 0, + "h": 4, + "y": 2, + "i": "a501edac-6ed8-4835-a64c-a7579937f16a", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "name": "recommendations", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + }, + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + } + ] + }, + "id": "{{dataStreams.recommendations}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "List", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceId", + "DeviceName", + "Timestamp", + "ConfigurationId", + "ConfigurationName", + "ConfigurationCategory", + "ConfigurationSubcategory", + "RiskDescription", + "RemediationOptions", + "IsApplicable@odata.type", + "IsApplicable", + "IsCompliant@odata.type", + "IsCompliant" + ], + "hiddenColumns": [] + } + } + } + } + } + ], + "version": 42, + "columns": 3 + }, + "variables": [ + "{{variables.[All Object]}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/scopes.json b/plugins/MicrosoftDefender/v1/defaultContent/scopes.json new file mode 100644 index 0000000..9b79bd0 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/scopes.json @@ -0,0 +1,29 @@ +[ + { + "name": "All Objects", + "matches": "all", + "variable": { + "name": "All Object", + "type": "object", + "default": "all", + "allowMultipleSelection": false + } + }, + { + "name": "devices", + "matches": { + "sourceType": { + "type": "oneOf", + "values": [ + "device" + ] + } + }, + "variable": { + "name": "device", + "type": "object", + "default": "none", + "allowMultipleSelection": false + } + } +] \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/vulnerabilities.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/vulnerabilities.dash.json new file mode 100644 index 0000000..6fdee49 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/vulnerabilities.dash.json @@ -0,0 +1,394 @@ +{ + "name": "Vulnerabilities", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "7c498c96-9efb-46fd-8b06-9d0970b51b45", + "z": 0, + "config": { + "timeframe": "last24hours", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "VulnerabilitySeverityLevel", + "operation": "equals", + "value": "Critical" + } + ] + }, + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "monitorOld": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "DeviceName", + "frequency": 15 + }, + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Critical", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "7a35db77-a19d-4b51-9712-f45e6cfe0004", + "z": 0, + "config": { + "timeframe": "last24hours", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "VulnerabilitySeverityLevel", + "operation": "equals", + "value": "High" + } + ] + }, + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "monitorOld": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "DeviceName", + "frequency": 15 + }, + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "High", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "ecca69a0-eb1c-4433-8ba7-e90cad89d561", + "z": 0, + "config": { + "timeframe": "last24hours", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "monitorOld": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "DeviceName", + "frequency": 15 + }, + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Software", + "visualisation": { + "type": "data-stream-donut-chart", + "config": { + "data-stream-donut-chart": { + "valueColumn": "builtin_count_by_label", + "hideCenterValue": false, + "showValuesAsPercentage": false, + "legendPosition": "right", + "legendMode": "table", + "labelColumn": "SoftwareName" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 3, + "y": 0, + "i": "b0385f1f-3367-4721-83cd-b3dc44a0734f", + "z": 0, + "config": { + "timeframe": "last24hours", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "pluginConfigId": "{{configId}}", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.Vulnerabilities}}", + "group": { + "by": [ + [ + "VulnerabilitySeverityLevel", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "monitorOld": { + "tileRollsUp": true, + "monitorType": "threshold", + "condition": { + "columns": [], + "logic": { + "if": [ + { + ">": [ + { + "var": "count" + }, + 0 + ] + }, + "error" + ] + } + }, + "_type": "simple", + "aggregation": "count", + "groupBy": "DeviceName", + "frequency": 15 + }, + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Severity", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "VulnerabilitySeverityLevel_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": false, + "yAxisData": [ + "count" + ], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 4, + "moved": false, + "h": 3, + "x": 0, + "y": 3, + "i": "eb36c383-0ca3-4d60-8e0d-c09c0ec2e6d8", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.[All Object]}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.[All Object]}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.[All Objects]}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "List", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "CveId", + "VulnerabilitySeverityLevel", + "DeviceId", + "SoftwareVendor", + "SoftwareName", + "SoftwareVersion", + "RecommendedSecurityUpdateId" + ], + "hiddenColumns": [ + "DeviceName", + "OSPlatform", + "OSVersion", + "OSArchitecture", + "AadDeviceId", + "RecommendedSecurityUpdate", + "CveTags@odata.type", + "CveMitigationStatus" + ] + } + } + } + } + } + ], + "version": 42, + "columns": 4 + }, + "variables": [ + "{{variables.[All Object]}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/icon.png b/plugins/MicrosoftDefender/v1/icon.png new file mode 100644 index 0000000..a34e4d4 Binary files /dev/null and b/plugins/MicrosoftDefender/v1/icon.png differ diff --git a/plugins/MicrosoftDefender/v1/indexDefinitions/default.json b/plugins/MicrosoftDefender/v1/indexDefinitions/default.json new file mode 100644 index 0000000..b84def4 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/indexDefinitions/default.json @@ -0,0 +1,29 @@ +{ + "steps": [ + { + "name": "Import Devices", + "dataStream": { + "name": "listDevices" + }, + "timeframe": "none", + "objectMapping": { + "id": "DeviceId", + "name": "DeviceName", + "type": { + "value": "device" + }, + "properties": [ + "OSPlatform", + "OSProcessor", + "OSVersion", + "PublicIP", + "OSBuild", + "OSArchitecture", + { + "deviceid": "DeviceId" + } + ] + } + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/metadata.json b/plugins/MicrosoftDefender/v1/metadata.json new file mode 100644 index 0000000..7ea33e5 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "microsoft-defender", + "displayName": "Microsoft Defender for Endpoint", + "version": "1.0.0", + "author": { + "name": "SquaredUp Labs", + "type": "community" + }, + "description": "Visualize Defender insights including advanced hunting, exposure, devices, and vulnerabilities.", + "category": "User Defined", + "type": "hybrid", + "schemaVersion": "2.0", + "base": { + "plugin": "WebAPI", + "majorVersion": "1", + "config": { + "oauth2TokenExtraArgs": [ + { + "value": "client_credentials", + "key": "grant_type" + }, + { + "value": "https://graph.microsoft.com/.default", + "key": "scope" + } + ], + "oauth2ClientSecret": "{{clientSecret}}", + "oauth2ClientSecretLocationDuringAuth": "body", + "authMode": "oauth2", + "oauth2GrantType": "clientCredentials", + "baseUrl": "https://graph.microsoft.com/v1.0/security/", + "oauth2TokenExtraHeaders": [ + { + "value": "application/x-www-form-urlencoded", + "key": "Content-Type" + } + ], + "oauth2TokenUrl": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token", + "oauth2ClientId": "{{clientId}}", + "oauth2Scope": "https://graph.microsoft.com/.default" + } + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/ui.json b/plugins/MicrosoftDefender/v1/ui.json new file mode 100644 index 0000000..f06ad63 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/ui.json @@ -0,0 +1,29 @@ +[ + { + "type": "text", + "name": "tenantId", + "label": "Directory (tenant) ID", + "placeholder": "Enter a directory (tenant) ID", + "validation": { + "required": true + } + }, + { + "type": "text", + "name": "clientId", + "label": "Application (client) ID", + "placeholder": "Enter an application (client) ID", + "validation": { + "required": true + } + }, + { + "type": "password", + "name": "clientSecret", + "label": "Client secret", + "placeholder": "Enter a client secret", + "validation": { + "required": true + } + } +] \ No newline at end of file