Merge pull request #484 from briandelmsft/exchange_module

Exchange Module Update, link deployment to new build

Author: piaudonn

Connector/connector.json

@@ -30,7 +30,7 @@
         }
     },
     "variables": {
-        "STATConnectorVersion": "2.0.21"
+        "STATConnectorVersion": "2.1.0"
     },
     "resources": [
         {
@@ -589,8 +589,8 @@
                         },
                         "/api/modules/oofmodule": {
                             "post": {
-                                "summary": "Out of Office Module",
-                                "description": "Sentinel Triage AssistanT Module for determining if user entities are out of the office.",
+                                "summary": "Exchange Online Module",
+                                "description": "Sentinel Triage AssistanT Module for reviewing Exchange Online risks.",
                                 "operationId": "OOFModule",
                                 "parameters": [
                                     {
@@ -609,6 +609,58 @@
                                                     ],
                                                     "x-ms-visibility": "advanced"
                                                 },
+                                                "AddIncidentTask": {
+                                                    "type": "boolean",
+                                                    "description": "Add a task to Microsoft Sentinel Incident",
+                                                    "title": "",
+                                                    "enum": [
+                                                        true,
+                                                        false
+                                                    ],
+                                                    "x-ms-visibility": "advanced"
+                                                },
+                                                "IncidentTaskInstructions": {
+                                                    "type": "string",
+                                                    "description": "Instructions to include in the Microsoft Sentinel Task",
+                                                    "x-ms-visibility": "advanced"
+                                                },
+                                                "LookbackInDays": {
+                                                    "type": "integer",
+                                                    "format": "int32",
+                                                    "description": "Number of days to lookback in EXO audit logs",
+                                                    "title": "",
+                                                    "x-ms-visibility": "advanced"
+                                                },
+                                                "CheckAuditLog": {
+                                                    "type": "boolean",
+                                                    "description": "Check Exchange Online Audit Logs",
+                                                    "title": "",
+                                                    "enum": [
+                                                        true,
+                                                        false
+                                                    ],
+                                                    "x-ms-visibility": "advanced"
+                                                },
+                                                "CheckOutOfOffice": {
+                                                    "type": "boolean",
+                                                    "description": "Check Out of Office status",
+                                                    "title": "",
+                                                    "enum": [
+                                                        true,
+                                                        false
+                                                    ],
+                                                    "x-ms-visibility": "advanced"
+                                                },
+                                                "CheckRules": {
+                                                    "type": "boolean",
+                                                    "description": "Check Exchange Online mailbox rules",
+                                                    "title": "",
+                                                    "enum": [
+                                                        true,
+                                                        false
+                                                    ],
+                                                    "x-ms-visibility": "advanced"
+                                                },
                                                 "BaseModuleBody": {
                                                     "type": "object",
                                                     "description": "Body from STAT Base Module",
@@ -632,7 +684,7 @@
                                         "description": "default",
                                         "schema": {
                                             "type": "object",
-                                            "description": "OOF Module Body",
+                                            "description": "Exchange Module Body",
                                             "properties": {
                                                 "AllUsersInOffice": {
                                                     "type": "boolean",
@@ -642,7 +694,7 @@
                                                     "type": "boolean",
                                                     "description": "true if All users are out of the office"
                                                 },
-                                                "DetailedResults": {
+                                                "OOF": {
                                                     "type": "array",
                                                     "items": {
                                                         "type": "object",
@@ -667,6 +719,26 @@
                                                     },
                                                     "description": "Array of by user DetailedResults"
                                                 },
+                                                "RulesDelete": {
+                                                    "type": "integer",
+                                                    "format": "int32",
+                                                    "description": "Count of mail rules with deletion found"
+                                                },
+                                                "RulesMove": {
+                                                    "type": "integer",
+                                                    "format": "int32",
+                                                    "description": "Count of mail rules with move found"
+                                                },
+                                                "RulesForward": {
+                                                    "type": "integer",
+                                                    "format": "int32",
+                                                    "description": "Count of mail rules with forward found"
+                                                },
+                                                "DelegationsFound": {
+                                                    "type": "integer",
+                                                    "format": "int32",
+                                                    "description": "Count of delegation audits found"
+                                                },
                                                 "UsersInOffice": {
                                                     "type": "integer",
                                                     "format": "int32",

Deploy/GrantPermissions.ps1

@@ -154,6 +154,7 @@ function Set-RBACPermissions ($MSIName, $Role) {
 Set-RBACPermissions -MSIName $STATIdentityName -Role "Microsoft Sentinel Responder"
 Set-APIPermissions -MSIName $STATIdentityName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
 Set-APIPermissions -MSIName $STATIdentityName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "MailboxSettings.Read"
+Set-APIPermissions -MSIName $STATIdentityName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "Mail.ReadBasic.All"
 Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "AdvancedQuery.Read.All"
 Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "Machine.Read.All"
 Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "File.Read.All"

Deploy/deployui.json

@@ -546,7 +546,7 @@
                                 "type": "Microsoft.Common.TextBox",
                                 "label": "STAT Function ZIP Package",
                                 "placeholder": "",
-                                "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.21/stat.zip",
+                                "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip",
                                 "toolTip": "Full path to the STAT Function ZIP deployment package",
                                 "constraints": {
                                     "required": true,
@@ -580,7 +580,7 @@
             "STATConnectorName": "[coalesce(steps('namingStep').customNaming.statConnectorName, 'SentinelTriageAssistantv2')]",
             "STATConnectorDisplayName": "[coalesce(steps('namingStep').customNaming.statConnectorDisplayName, 'STAT v2')]",
             "storageAccountType": "Standard_LRS",
-            "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.21/stat.zip')]",
+            "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip')]",
             "MSGraphEndpoint": "[coalesce(steps('apiStep').customApi.graphApi,'graph.microsoft.com')]",
             "M365Endpoint": "[coalesce(steps('apiStep').customApi.m365Api,'api.security.microsoft.com')]",
             "MDEEndpoint": "[coalesce(steps('apiStep').customApi.mdeApi,'api.securitycenter.microsoft.com')]",

Modules/versions.json

@@ -9,8 +9,8 @@
     "RelatedAlerts": "0.3.0",
     "RunPlaybook": "0.0.1",
     "ScoringModule": "0.1.0",
-    "STATConnector": "1.5.1",
-    "STATFunction": "2.0.14",
+    "STATConnector": "2.1.0",
+    "STATFunction": "2.1.0",
     "TIModule": "0.2.0",
     "UEBAModule": "0.1.1",
     "WatchlistModule": "0.1.0"