diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml new file mode 100644 index 00000000..26e7b016 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml @@ -0,0 +1,110 @@ +Descriptor: + Name: MDEPlugandPlay + DisplayName: MDE Plug and Play + Description: Skills to query MDE device tables to get insights about plug and play (PnP) events + +SkillGroups: + - Format: KQL + Skills: + - Name: GetPnPEventsFromDevice + DisplayName: Get PnP Events From Device + Description: Summarises the PnP connection events from a specific device over a set timeframe + ExamplePrompt: + - 'PnP Events' + - 'Plug and Play Events' + - 'Get PnP events from device DEVICENAME from the last 7 days' + - 'Get PnP events from device DEVICENAME from the past 24 hours' + - 'Fetch PnP events from device DEVICENAME from the past 7 days' + - 'Fetch PnP events from device DEVICENAME from the past 24 hours' + - 'List PnP events from device DEVICENAME from the past 7 days' + - 'List PnP events from device DEVICENAME from the past 24 hours' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + - Name: devicename + Description: device name or id + Required: true + Settings: + Target: Defender + Template: |- + let Device = "{{devicename}}"; + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where DeviceName =~ Device or DeviceId =~ Device + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project Timestamp, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + - Format: KQL + Skills: + - Name: GetPnPTop25Devices + DisplayName: Get PnP Top 25 Devices + Description: Fetches a count of the top 25 PnP devices across the estate + ExamplePrompt: + - 'PnP Devices' + - 'Plug and Play Devices' + - 'Get a list of the top 25 PnP devices from the last 24 hours' + - 'Get a list of the top 25 PnP devices from the last 1 day' + - 'Fetch a list of the top 25 PnP devices from the last 24 hours' + - 'Fetch a list of the top 25 PnP devices from the last 1 day' + - 'List the top 25 PnP devices from the last 24 hours' + - 'List the top 25 PnP devices from the last 1 day' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 1 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds) + | top 25 by count_ + - Format: KQL + Skills: + - Name: GetPnPLeastCommonDevices + DisplayName: Get PnP Least Common Devices + Description: Fetches a count of the 25 least common PnP devices which could be anomalous + ExamplePrompt: + - 'PnP Devices' + - 'Plug and Play Devices' + - 'Anomalous PnP' + - 'Anomalous Plug and Play' + - 'Get a list of the 25 least common PnP devices from the last 24 hours' + - 'Get a list of the 25 least common PnP devices from the last 1 day' + - 'Fetch a list of the 25 least common PnP devices from the last 24 hours' + - 'Fetch a list of the 25 least common PnP devices from the last 1 day' + - 'List the 25 least common PnP devices from the last 1 day' + - 'List the 25 least common PnP devices from the last 24 hours' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 1 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds) + | top 25 by count_ asc diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md new file mode 100644 index 00000000..230ef86c --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md @@ -0,0 +1,34 @@ +# Security Copilot Plugin: MDE Plug and Play (PnP) + +### **This KQL plugin enables SOC analysts to get insights about external devices that have been connected to a device, based on the Defender for Endpoint DeviceEvents table.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file MDE_Plug_and_Plug.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **GetPnPTop25Devices**: Fetches a count of the top 25 PnP devices across the estate +- **GetPnPLeastCommonDevices**: Fetches a count of the 25 least common PnP devices which could be anomalous +- **GetPnPEventsFromDevice**: Summarises the PnP connection events from a specific device over a set timeframe + +#### Example Prompts + +- Get a list of PnP events from device DEVICENAME from the last 7 days +- Fetch a list of the top 25 PnP devices from the last 24 hours +- List the 25 least common PnP devices from the last 30 days + +#### Example Usage + +1. A SOC analyst is investigating a data exfiltration alert and requires further details on the methods used. +2. The GetPnPEventsFromDevice skill is used to get a summary of the PnP devices connected to a laptop over the past 24 hours. diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml new file mode 100644 index 00000000..15ef11a4 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml @@ -0,0 +1,185 @@ +Descriptor: + Name: MDESmartScreen + DisplayName: MDE SmartScreen + Description: Skills to query MDE device tables to get insights about SmartScreen events + +SkillGroups: + - Format: KQL + Skills: + - Name: GetSmartScreenEvents + DisplayName: Get SmartScreen Events + Description: Summarises SmartScreen events over a specified timeframe + ExamplePrompt: + - 'SmartScreen Events' + - 'Get a list of SmartScreen events from the past 24 hours' + - 'Get a list of SmartScreen events from the past 7 days' + - 'Fetch a list of SmartScreen events from the past 24 hours' + - 'Fetch a list of SmartScreen events from the past 7 days' + - 'List the SmartScreen events from the past 24 hours' + - 'List the SmartScreen events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType contains "Smartscreen" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenWarningEvents + DisplayName: Get SmartScreen Warning Events + Description: Summarises SmartScreen warning events over a specified timeframe + ExamplePrompt: + - 'SmartScreen Warning Events' + - 'Get a list of SmartScreen warning events from the past 24 hours' + - 'Get a list of SmartScreen warning events from the past 7 days' + - 'Fetch a list of SmartScreen warning events from the past 24 hours' + - 'Fetch a list of SmartScreen warning events from the past 7 days' + - 'List the SmartScreen warning events from the past 24 hours' + - 'List the SmartScreen warning events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUrlWarning" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenBypassEvents + DisplayName: Get SmartScreen Bypass Events + Description: Summarises SmartScreen bypass events over a specified timeframe + ExamplePrompt: + - 'SmartScreen User Override' + - 'SmartScreen Bypass' + - 'Get a list of SmartScreen bypass events from the past 24 hours' + - 'Get a list of SmartScreen override events from the past 7 days' + - 'Fetch a list of SmartScreen override events from the past 24 hours' + - 'Fetch a list of SmartScreen bypass events from the past 7 days' + - 'List the SmartScreen override events from the past 24 hours' + - 'List the SmartScreen bypass events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUserOverride" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenEventsURL + DisplayName: Get SmartScreen Events URL + Description: Fetches a count of SmartScreen events grouped by URL + ExamplePrompt: + - 'SmartScreen URLs' + - 'Get a list of URLs identified by SmartScreen from the past 24 hours' + - 'Get a list of URLs identified by SmartScreen from the past 7 days' + - 'Fetch a list of URLs identified by SmartScreen from the past 24 hours' + - 'Fetch a list of URLs identified by SmartScreen from the past 7 days' + - 'List the URLs identified by SmartScreen from the past 24 hours' + - 'List the URLs identified by SmartScreen from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType contains "SmartScreen" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl + - Format: KQL + Skills: + - Name: GetSmartScreenWarningEventsURL + DisplayName: Get SmartScreen Warning Events URL + Description: Fetches a count of SmartScreen warning events grouped by URL + ExamplePrompt: + - 'SmartScreen URLs Warning' + - 'Get a list of URLs marked with a warning by SmartScreen from the past 24 hours' + - 'Get a list of URLs marked with a warning by SmartScreen from the past 7 days' + - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 24 hours' + - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days' + - 'List the URLs marked with a warning by SmartScreen from the past 24 hours' + - 'List the URLs marked with a warning by SmartScreen from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUrlWarning" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl + - Format: KQL + Skills: + - Name: GetSmartScreenBypassEventsURL + DisplayName: Get SmartScreen Bypass Events URL + Description: Fetches a count of SmartScreen bypass events grouped by URL + ExamplePrompt: + - 'SmartScreen URLs User Override' + - 'SmartScreen URLs Bypass' + - 'Get a list of URLs where the user has overridden SmartScreen from the past 24 hours' + - 'Get a list of URLs where the user has bypassed SmartScreen from the past 7 days' + - 'Fetch a list of URLs where the user has overridden SmartScreen from the past 24 hours' + - 'Fetch a list of URLs where the user has bypassed SmartScreen from the past 7 days' + - 'List the URLs where the user has bypassed SmartScreen from the past 24 hours' + - 'List the URLs where the user has overridden SmartScreen from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUserOverride" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md new file mode 100644 index 00000000..7a85a47e --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md @@ -0,0 +1,43 @@ +# Security Copilot Plugin: MDE SmartScreen + +### **This KQL plugin enables SOC analysts and engineers to get insights about SmartScreen warning pages and bypasses, using the Defender for Endpoint DeviceEvents table.** + +### Prerequisites + +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) +- [Microsoft Defender SmartScreen settings configured](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file MDE_SmartScreen.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **GetSmartScreenEvents**: Summarises SmartScreen events over a specified timeframe +- **GetSmartScreenWarningEvents**: Summarises SmartScreen warning events over a specified timeframe +- **GetSmartScreenBypassEvents**: Summarises SmartScreen bypass events over a specified timeframe +- **GetSmartScreenEventsURL**: Fetches a count of SmartScreen events grouped by URL +- **GetSmartScreenWarningEventsURL**: Fetches a count of SmartScreen warning events grouped by URL +- **GetSmartScreenBypassEventsURL**: Fetches a count of SmartScreen bypass events grouped by URL + +#### Example Prompts + +- Get a list of SmartScreen events from the past 7 days +- Fetch a list of SmartScreen warning events from the past 24 hours +- List the SmartScreen override events from the past 7 days +- Get a list of URLs identified by SmartScreen from the past 24 hours +- Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days +- List the URLs where the user has bypassed SmartScreen from the past 24 hours + +#### Example Usage + +1. A desktop engineer is drafting a report for senior leadership about the organisation’s protection against phishing or malware websites and applications. +2. The GetSmartScreenEvents skill is used to get a summary of the SmartScreen events from the past 30 days. +3. The GetSmartScreenBypassEvents skill is used to identify users who are ignored the warning message and may require further security education and awareness training. +4. The Generic plugin is used to summarise the previous prompts and provide recommendations about changes to the current configuration.