From db55493aa1549ab3bb3f1ceb90a69e8ebecfdb8d Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Thu, 9 Jan 2025 14:43:02 -0500 Subject: [PATCH 1/5] adding permission for exchange module --- Deploy/GrantPermissions.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Deploy/GrantPermissions.ps1 b/Deploy/GrantPermissions.ps1 index 86b4f3f..056f56b 100644 --- a/Deploy/GrantPermissions.ps1 +++ b/Deploy/GrantPermissions.ps1 @@ -154,6 +154,7 @@ function Set-RBACPermissions ($MSIName, $Role) { Set-RBACPermissions -MSIName $STATIdentityName -Role "Microsoft Sentinel Responder" Set-APIPermissions -MSIName $STATIdentityName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read" Set-APIPermissions -MSIName $STATIdentityName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "MailboxSettings.Read" +Set-APIPermissions -MSIName $STATIdentityName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "Mail.ReadBasic.All" Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "AdvancedQuery.Read.All" Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "Machine.Read.All" Set-APIPermissions -MSIName $STATIdentityName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "File.Read.All" From beb19b83a78a3476b4852e086edf28fa1daeefdd Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Thu, 9 Jan 2025 14:54:33 -0500 Subject: [PATCH 2/5] connector update for exchange --- Connector/connector.json | 78 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 3 deletions(-) diff --git a/Connector/connector.json b/Connector/connector.json index 006b946..434526a 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -589,8 +589,8 @@ }, "/api/modules/oofmodule": { "post": { - "summary": "Out of Office Module", - "description": "Sentinel Triage AssistanT Module for determining if user entities are out of the office.", + "summary": "Exchange Online Module", + "description": "Sentinel Triage AssistanT Module for reviewing Exchange Online risks.", "operationId": "OOFModule", "parameters": [ { @@ -609,6 +609,58 @@ ], "x-ms-visibility": "advanced" }, + "AddIncidentTask": { + "type": "boolean", + "description": "Add a task to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "IncidentTaskInstructions": { + "type": "string", + "description": "Instructions to include in the Microsoft Sentinel Task", + "x-ms-visibility": "advanced" + }, + "LookbackInDays": { + "type": "integer", + "format": "int32", + "description": "Number of days to lookback in EXO audit logs", + "title": "", + "x-ms-visibility": "advanced" + }, + "CheckAuditLog": { + "type": "boolean", + "description": "Check Exchange Online Audit Logs", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "CheckOutOfOffice": { + "type": "boolean", + "description": "Check Out of Office status", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "CheckRules": { + "type": "boolean", + "description": "Check Exchange Online mailbox rules", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, "BaseModuleBody": { "type": "object", "description": "Body from STAT Base Module", @@ -642,7 +694,7 @@ "type": "boolean", "description": "true if All users are out of the office" }, - "DetailedResults": { + "OOF": { "type": "array", "items": { "type": "object", @@ -667,6 +719,26 @@ }, "description": "Array of by user DetailedResults" }, + "RulesDelete": { + "type": "integer", + "format": "int32", + "description": "Count of mail rules with deletion found" + }, + "RulesMove": { + "type": "integer", + "format": "int32", + "description": "Count of mail rules with move found" + }, + "RulesForward": { + "type": "integer", + "format": "int32", + "description": "Count of mail rules with forward found" + }, + "DelegationsFound": { + "type": "integer", + "format": "int32", + "description": "Count of delegation audits found" + }, "UsersInOffice": { "type": "integer", "format": "int32", From 9265019ea3d6c705a295aac78d8fe0b8fdc819bd Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Thu, 9 Jan 2025 14:55:53 -0500 Subject: [PATCH 3/5] connector version update for exchange --- Connector/connector.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Connector/connector.json b/Connector/connector.json index 434526a..30ea7de 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -30,7 +30,7 @@ } }, "variables": { - "STATConnectorVersion": "2.0.21" + "STATConnectorVersion": "2.1.0" }, "resources": [ { From b1ce8d761bd73d1a57979e211e86dd98a99e943a Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Mon, 13 Jan 2025 14:43:59 -0500 Subject: [PATCH 4/5] change OOF body displayname to exchange --- Connector/connector.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Connector/connector.json b/Connector/connector.json index 30ea7de..ffa13a5 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -684,7 +684,7 @@ "description": "default", "schema": { "type": "object", - "description": "OOF Module Body", + "description": "Exchange Module Body", "properties": { "AllUsersInOffice": { "type": "boolean", From 19804573a3464315f13045fb4eff66caddf782b7 Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Fri, 17 Jan 2025 15:02:57 -0500 Subject: [PATCH 5/5] point to v2.1 package --- Deploy/deployui.json | 4 ++-- Modules/versions.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Deploy/deployui.json b/Deploy/deployui.json index ee9ff25..8ce2667 100644 --- a/Deploy/deployui.json +++ b/Deploy/deployui.json @@ -546,7 +546,7 @@ "type": "Microsoft.Common.TextBox", "label": "STAT Function ZIP Package", "placeholder": "", - "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.21/stat.zip", + "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip", "toolTip": "Full path to the STAT Function ZIP deployment package", "constraints": { "required": true, @@ -580,7 +580,7 @@ "STATConnectorName": "[coalesce(steps('namingStep').customNaming.statConnectorName, 'SentinelTriageAssistantv2')]", "STATConnectorDisplayName": "[coalesce(steps('namingStep').customNaming.statConnectorDisplayName, 'STAT v2')]", "storageAccountType": "Standard_LRS", - "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.0.21/stat.zip')]", + "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip')]", "MSGraphEndpoint": "[coalesce(steps('apiStep').customApi.graphApi,'graph.microsoft.com')]", "M365Endpoint": "[coalesce(steps('apiStep').customApi.m365Api,'api.security.microsoft.com')]", "MDEEndpoint": "[coalesce(steps('apiStep').customApi.mdeApi,'api.securitycenter.microsoft.com')]", diff --git a/Modules/versions.json b/Modules/versions.json index 8c68317..6d08ddc 100644 --- a/Modules/versions.json +++ b/Modules/versions.json @@ -9,8 +9,8 @@ "RelatedAlerts": "0.3.0", "RunPlaybook": "0.0.1", "ScoringModule": "0.1.0", - "STATConnector": "1.5.1", - "STATFunction": "2.0.14", + "STATConnector": "2.1.0", + "STATFunction": "2.1.0", "TIModule": "0.2.0", "UEBAModule": "0.1.1", "WatchlistModule": "0.1.0"