Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IOC Query Builder and ASR Custom Plugins #115

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

IOC Query Builder and ASR Custom Plugins #115

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ce6116f
Create Readme.md
alfonso-greenbrook Sep 4, 2024
394b5cb
Create IOC_Query_Builder.yaml
alfonso-greenbrook Sep 4, 2024
0e4c6ab
Create Readme.md
alfonso-greenbrook Sep 4, 2024
8e6d45e
Update Readme.md
alfonso-greenbrook Sep 4, 2024
732e368
Create MDE_Attack_Surface_Reduction.yaml
alfonso-greenbrook Sep 4, 2024
e21acff
Update Readme.md
alfonso-greenbrook Sep 4, 2024
bcb5874
Update Readme.md
alfonso-greenbrook Sep 4, 2024
e6545ef
Update MDE_Attack_Surface_Reduction.yaml
alfonso-greenbrook Sep 4, 2024
8c610fa
Update MDE_Attack_Surface_Reduction.yaml
alfonso-greenbrook Nov 14, 2024
0d8d45f
Update Readme.md
alfonso-greenbrook Nov 14, 2024
c0c5045
Update IOC_Query_Builder.yaml
alfonso-greenbrook Nov 14, 2024
f8a90ef
Update Readme.md
alfonso-greenbrook Nov 15, 2024
4a23ebc
Merge branch 'Azure:main' into NewCustomPlugins
alfonso-greenbrook Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
Descriptor:
Name: IOCQueryBuilder
DisplayName: IOC Query Builder
Description: Skills for formatting a list of IOCs so they can be used by SOC analysts in KQL queries

SkillGroups:
- Format: GPT
Skills:
- Name: GenerateIOCListForKQL
DisplayName: Generate IOC List For KQL
Description: Formats a list of IOCs so they can be used by SOC analysts in KQL queries
Inputs:
- Name: iocs
Description: The unformatted list of IOCs
Settings:
ModelName: gpt-4-32k-v0613
Template: |-
When a security operations analyst recieves a list of indicators of compromise (IOCs), they will search their SIEM tool to identify if a system may have been infiltrated by a cyber threat. The list of IOCs will need to be formatted in such as way that it can be included in a KQL query.

Some examples of this formatting in KQL:
1. microsoft.com securitycopilot.microsoft.com security.microsoft.com --> 'microsoft.com','securitycopilot.microsoft.com','security.microsoft.com'
2. 1.1.1.1 8.8.8.8 --> '1.1.1.1','8.8.8.8'

Format any IOCs in the following text and return the new text:
{{iocs}}
20 changes: 20 additions & 0 deletions Plugins/Community Based Plugins/IOC Query Builder/Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Copilot for Security Plugin: IOC Query Builder

### **This GPT plugin enables a SOC analyst to input a list of indicators of compromise (IOCs) and format them so they can be used in a KQL query in Sentinel and/or Defender XDR.**

### Pre-requisites

- [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)

### Instructions

#### Upload the Custom Plugin

1. Obtain the file IOC_Query_Builder.yaml from this directory.
2. Upload the custom plugin

#### Example Usage

1. Use the FetchURL skill to gather a list of IOCs from a threat intelligence report webpage.
2. Use the GenerateIOCListForKQL skill to format the list of IOCs for use in a KQL query.
173 changes: 173 additions & 0 deletions ...tom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
Descriptor:
Name: MDEAttackSurfaceReduction
DisplayName: MDE Attack Surface Reduction (ASR)
Description: Skills to query MDE device tables to get insights about ASR rules

SkillGroups:
- Format: KQL
Skills:
- Name: GetASREventCountWithinTimeframe
DisplayName: Get ASR Event Count Within Timeframe
Description: Fetches a count of ASR events within the specified timeframe
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Audit Events'
- 'ASR Blocked Events'
- 'ASR Event Count'
Inputs:
- Name: hourorday
Description: hours (h) or days (d)
Required: true
- Name: unit
Description: number of hours or days
Required: true
Settings:
Target: Defender
Template: |-
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where ActionType startswith "ASR"
| project ActionType
| summarize count() by ActionType
- Format: KQL
Skills:
- Name: GetASREventsForDevice
DisplayName: Get ASR Events From Device
Description: Fetches a count of ASR events for a specified device name or device ID
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Audit Events'
- 'ASR Blocked Events'
- 'ASR Device Events'
Inputs:
- Name: devicename
Description: device name or id
Required: true
- Name: hourorday
Description: hours (h) or days (d)
Required: false
DefaultValue: d
- Name: unit
Description: number of hours or days
Required: false
DefaultValue: 7
Settings:
Target: Defender
Template: |-
let Device = "{{devicename}}";
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where DeviceName =~ Device or DeviceId =~ Device
| where ActionType startswith "ASR"
| project ActionType
| summarize count() by ActionType
- Format: KQL
Skills:
- Name: GetASREventsForFile
DisplayName: Get ASR Events For File
Description: Fetches a count of ASR events for a specified file name
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Audit Events'
- 'ASR Blocked Events'
- 'ASR File Events'
Inputs:
- Name: filename
Description: file name
Required: true
- Name: hourorday
Description: hours (h) or days (d)
Required: false
DefaultValue: d
- Name: unit
Description: number of hours or days
Required: false
DefaultValue: 7
Settings:
Target: Defender
Template: |-
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where ActionType startswith "ASR"
| where FileName contains "{{filename}}"
| project ActionType, FileName
| summarize count() by ActionType, FileName
- Format: KQL
Skills:
- Name: GetASRBlockedEvents
DisplayName: Get ASR Blocked Events
Description: Fetches a count of the top 25 ASR blocked events
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Blocked Events'
Inputs:
- Name: hourorday
Description: hours (h) or days (d)
Required: false
DefaultValue: h
- Name: unit
Description: number of hours or days
Required: false
DefaultValue: 24
Settings:
Target: Defender
Template: |-
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where ActionType startswith "ASR" and ActionType endswith "Blocked"
| project ActionType, FileName
| summarize count() by ActionType, FileName
| top 25 by count_
- Format: KQL
Skills:
- Name: GetASRAuditedEvents
DisplayName: Get ASR Audited Events
Description: Fetches a count of the top 25 ASR audited events
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Audited Events'
Inputs:
- Name: hourorday
Description: hours (h) or days (d)
Required: false
DefaultValue: h
- Name: unit
Description: number of hours or days
Required: false
DefaultValue: 24
Settings:
Target: Defender
Template: |-
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where ActionType startswith "ASR" and ActionType endswith "Audited"
| project ActionType, FileName
| summarize count() by ActionType, FileName
| top 25 by count_
- Format: KQL
Skills:
- Name: GetASREventsByCategory
DisplayName: Get ASR Events By Category
Description: Fetches a count of ASR events grouped by category and day
ExamplePrompt:
- 'Attack Surface Reduction Rules'
- 'ASR Audited Events'
- 'ASR Blocked Events'
- 'ASR Event Category'
Inputs:
- Name: hourorday
Description: hours (h) or days (d)
Required: false
DefaultValue: d
- Name: unit
Description: number of hours or days
Required: false
DefaultValue: 7
Settings:
Target: Defender
Template: |-
DeviceEvents
| where Timestamp >= ago({{unit}}{{hourorday}})
| where ActionType startswith "asr"
| summarize Email = countif(ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")), Script = countif(ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")), WMI = countif(ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")), OfficeApp = countif(ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")), 3rdPartyApp = countif(ActionType == "AsrAdobeReaderChildProcessBlocked"), WindowsCredentials = countif(ActionType == "AsrLsassCredentialTheftBlocked"), PolymorphicThreats = countif(ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by bin(Timestamp, 1d)
| sort by Timestamp
32 changes: 32 additions & 0 deletions ...fender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Copilot for Security Plugin: MDE Attack Surface Reduction (ASR)

### **This KQL plugin enables SOC analysts and engineers to get insights about ASR rules in their environment based on the Defender for Endpoint DeviceEvents table.**

### Pre-requisites

- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
- [Attack Surface Reduction rules enabled](https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction#configure-attack-surface-reduction-capabilities)

### Instructions

#### Upload the Custom Plugin

1. Obtain the file MDE_Attack_Surface_Reduction.yaml from this directory.
2. Upload the custom plugin

#### Skills

- **GetASREventCountWithinTimeframe**: Fetches a count of ASR events within the specified timeframe
- **GetASREventsForDevice**: Fetches a count of ASR events for a specified device name or device ID
- **GetASREventsForFile**: Fetches a count of ASR events for a specified file name
- **GetASRBlockedEvents**: Fetches a count of the top 25 ASR blocked events
- **GetASRAuditedEvents**: Fetches a count of the top 25 ASR audited events
- **GetASREventsByCategory**: Fetches a count of ASR events grouped by category and day

#### Example Usage

1. A desktop engineer is drafting a report for senior leadership about the organisation’s attack surface.
2. The GetASREventCountWithinTimeframe skill is used to get a summary of the ASR rules that were triggered over the past 30 days.
3. The Microsoft Defender Threat Intelligence (MDTI) plugin is used to get context about the tactics, techniques and procedures (TTPs) that the ASR rules will protect against.
4. The Generic plugin is used to summarise the previous prompts and provide recommendations about which ASR audit rules should be switched to blocked.