From b8198f6cdbfcbc99acc24cf6cf496d74491becce Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Fri, 14 Mar 2025 13:10:17 -0400 Subject: [PATCH 1/8] Exposure module basics for connector --- Connector/connector.json | 156 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) diff --git a/Connector/connector.json b/Connector/connector.json index ffa13a5..596da5c 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -760,6 +760,162 @@ } } }, + "/api/modules/deviceexposure": { + "post": { + "summary": "Device Exposure Module", + "description": "Sentinel Triage AssistanT Module for reviewing Device Exposure Risks", + "operationId": "DeviceExposureModule", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "AddIncidentComments": { + "type": "boolean", + "description": "Add Comments to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "AddIncidentTask": { + "type": "boolean", + "description": "Add a task to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "IncidentTaskInstructions": { + "type": "string", + "description": "Instructions to include in the Microsoft Sentinel Task", + "x-ms-visibility": "advanced" + }, + "BaseModuleBody": { + "type": "object", + "description": "Body from STAT Base Module", + "title": "", + "x-ms-visibility": "important" + } + }, + "default": { + "AddIncidentComments": true, + "Entities": "" + }, + "required": [ + "BaseModuleBody" + ] + }, + "required": true + } + ], + "responses": { + "default": { + "description": "default", + "schema": { + "type": "object", + "description": "Device Exposure Module", + "properties": { + "RulesDelete": { + "type": "integer", + "format": "int32", + "description": "Count of mail rules with deletion found" + }, + "UsersUnknown": { + "type": "integer", + "format": "int32", + "description": "Count of Users with unknown Out of Office status" + } + } + } + } + } + } + }, + "/api/modules/userexposure": { + "post": { + "summary": "User Exposure Module", + "description": "Sentinel Triage AssistanT Module for evaulating User exposure.", + "operationId": "UserExposureModule", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "AddIncidentComments": { + "type": "boolean", + "description": "Add Comments to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "AddIncidentTask": { + "type": "boolean", + "description": "Add a task to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, + "IncidentTaskInstructions": { + "type": "string", + "description": "Instructions to include in the Microsoft Sentinel Task", + "x-ms-visibility": "advanced" + }, + "BaseModuleBody": { + "type": "object", + "description": "Body from STAT Base Module", + "title": "", + "x-ms-visibility": "important" + } + }, + "default": { + "AddIncidentComments": true, + "Entities": "" + }, + "required": [ + "BaseModuleBody" + ] + }, + "required": true + } + ], + "responses": { + "default": { + "description": "default", + "schema": { + "type": "object", + "description": "User Exposure Module Body", + "properties": { + "RulesDelete": { + "type": "integer", + "format": "int32", + "description": "Count of mail rules with deletion found" + }, + "UsersUnknown": { + "type": "integer", + "format": "int32", + "description": "Count of Users with unknown Out of Office status" + } + } + } + } + } + } + }, "/api/modules/threatintel": { "post": { "summary": "Threat Intel Module", From 253694a406523eeafd72fd2b3d264707f96d10aa Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Wed, 2 Apr 2025 11:17:21 -0400 Subject: [PATCH 2/8] Fixes #489, remove MDCA endpoint from deployment --- Deploy/deployui.json | 31 -------------------------- Deploy/statdeploy.json | 16 ------------- Function/ServicePrincipalIdentity.json | 11 --------- Function/SystemIdentity.json | 11 --------- Function/UserAssignedIdentity.json | 11 --------- 5 files changed, 80 deletions(-) diff --git a/Deploy/deployui.json b/Deploy/deployui.json index 8ce2667..fde4236 100644 --- a/Deploy/deployui.json +++ b/Deploy/deployui.json @@ -462,36 +462,6 @@ } ], "visible": "[if(equals(steps('apiStep').api, 'custom'), true, false)]" - }, - { - "name": "apiTextBlock5", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "Microsoft Defender for Cloud Apps API uses a tenant specific endpoint which must be entered to use that module.", - "link": { - "label": "Learn more", - "uri": "https://learn.microsoft.com/defender-cloud-apps/api-introduction#api-url-structure" - } - } - }, - { - "name": "mdcaApi", - "type": "Microsoft.Common.TextBox", - "label": "Microsoft Defender for Cloud Apps API", - "placeholder": "*.*.portal.cloudappsecurity.com", - "defaultValue": "", - "toolTip": "Microsoft Defender for Cloud Apps API Endpoint", - "constraints": { - "required": true, - "validations": [ - { - "regex": "(^(?![hH][tT][tT][pP][sS]?:\/\/)).*", - "message": "Enter only the hostname, such as org.region.cloudappsecurity.com, do not include the https:// prefix." - } - ] - }, - "visible": true } ] }, @@ -584,7 +554,6 @@ "MSGraphEndpoint": "[coalesce(steps('apiStep').customApi.graphApi,'graph.microsoft.com')]", "M365Endpoint": "[coalesce(steps('apiStep').customApi.m365Api,'api.security.microsoft.com')]", "MDEEndpoint": "[coalesce(steps('apiStep').customApi.mdeApi,'api.securitycenter.microsoft.com')]", - "MDCAEndpoint": "[steps('apiStep').mdcaApi]", "LogAnalyticsEndpoint": "[coalesce(steps('apiStep').customApi.laApi,'api.loganalytics.io')]", "AzureResourceManagerEndpoint": "[coalesce(steps('apiStep').customApi.armApi,'management.azure.com')]", "ServicePrincipalClientId": "[coalesce(steps('identityStep').spId.clientId,steps('identityStep').userId.clientId, 'none')]", diff --git a/Deploy/statdeploy.json b/Deploy/statdeploy.json index ccd9afe..4320731 100644 --- a/Deploy/statdeploy.json +++ b/Deploy/statdeploy.json @@ -66,13 +66,6 @@ "description": "Microsoft Defender for Endpoint API endpoint" } }, - "MDCAEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint" - } - }, "LogAnalyticsEndpoint": { "type": "string", "defaultValue": "api.loganalytics.io", @@ -191,9 +184,6 @@ "MDEEndpoint": { "value": "[parameters('MDEEndpoint')]" }, - "MDCAEndpoint": { - "value": "[parameters('MDCAEndpoint')]" - }, "LogAnalyticsEndpoint": { "value": "[parameters('LogAnalyticsEndpoint')]" }, @@ -267,9 +257,6 @@ "MDEEndpoint": { "value": "[parameters('MDEEndpoint')]" }, - "MDCAEndpoint": { - "value": "[parameters('MDCAEndpoint')]" - }, "LogAnalyticsEndpoint": { "value": "[parameters('LogAnalyticsEndpoint')]" }, @@ -337,9 +324,6 @@ "MDEEndpoint": { "value": "[parameters('MDEEndpoint')]" }, - "MDCAEndpoint": { - "value": "[parameters('MDCAEndpoint')]" - }, "LogAnalyticsEndpoint": { "value": "[parameters('LogAnalyticsEndpoint')]" }, diff --git a/Function/ServicePrincipalIdentity.json b/Function/ServicePrincipalIdentity.json index a911318..71ef7a2 100644 --- a/Function/ServicePrincipalIdentity.json +++ b/Function/ServicePrincipalIdentity.json @@ -47,13 +47,6 @@ "description": "Microsoft Defender for Endpoint API endpoint" } }, - "MDCAEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint" - } - }, "LogAnalyticsEndpoint": { "type": "string", "defaultValue": "api.loganalytics.io", @@ -162,10 +155,6 @@ "name": "MDE_ENDPOINT", "value": "[parameters('MDEEndpoint')]" }, - { - "name": "MDCA_ENDPOINT", - "value": "[parameters('MDCAEndpoint')]" - }, { "name": "AZURE_CLIENT_ID", "value": "[parameters('ServicePrincipalClientId')]" diff --git a/Function/SystemIdentity.json b/Function/SystemIdentity.json index 703052c..3554a67 100644 --- a/Function/SystemIdentity.json +++ b/Function/SystemIdentity.json @@ -47,13 +47,6 @@ "description": "Microsoft Defender for Endpoint API endpoint" } }, - "MDCAEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint" - } - }, "LogAnalyticsEndpoint": { "type": "string", "defaultValue": "api.loganalytics.io", @@ -150,10 +143,6 @@ "name": "MDE_ENDPOINT", "value": "[parameters('MDEEndpoint')]" }, - { - "name": "MDCA_ENDPOINT", - "value": "[parameters('MDCAEndpoint')]" - }, { "name": "AZURE_TENANT_ID", "value": "[parameters('AADTenantId')]" diff --git a/Function/UserAssignedIdentity.json b/Function/UserAssignedIdentity.json index facb252..a3c7d1b 100644 --- a/Function/UserAssignedIdentity.json +++ b/Function/UserAssignedIdentity.json @@ -47,13 +47,6 @@ "description": "Microsoft Defender for Endpoint API endpoint" } }, - "MDCAEndpoint": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Organization Specific Microsoft Defender for Cloud Apps Endpoint" - } - }, "LogAnalyticsEndpoint": { "type": "string", "defaultValue": "api.loganalytics.io", @@ -162,10 +155,6 @@ "name": "MDE_ENDPOINT", "value": "[parameters('MDEEndpoint')]" }, - { - "name": "MDCA_ENDPOINT", - "value": "[parameters('MDCAEndpoint')]" - }, { "name": "AZURE_CLIENT_ID", "value": "[parameters('ServicePrincipalClientId')]" From fb2ed111243d741fb0e020a63bcc7f67969c219d Mon Sep 17 00:00:00 2001 From: Pierre Audonnet Date: Thu, 17 Apr 2025 19:23:13 -0400 Subject: [PATCH 3/8] Update statdeploy.json Setting allowBlobPublicAccess to false by default. --- Deploy/statdeploy.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Deploy/statdeploy.json b/Deploy/statdeploy.json index 4320731..48f4bbe 100644 --- a/Deploy/statdeploy.json +++ b/Deploy/statdeploy.json @@ -130,7 +130,10 @@ "sku": { "name": "[parameters('storageAccountType')]" }, - "kind": "Storage" + "kind": "Storage", + "properties": { + "allowBlobPublicAccess": false + } }, { "type": "Microsoft.Web/serverfarms", @@ -363,4 +366,4 @@ ], "outputs": { } -} \ No newline at end of file +} From c9c635b8422f5a7b3d95abab70a6d4122efd40a8 Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Wed, 23 Apr 2025 09:22:39 -0400 Subject: [PATCH 4/8] Update connector version id --- Connector/connector.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Connector/connector.json b/Connector/connector.json index 596da5c..a7cc9a9 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -30,7 +30,7 @@ } }, "variables": { - "STATConnectorVersion": "2.1.0" + "STATConnectorVersion": "2.2.0" }, "resources": [ { From 1d1fdf7464f48a9da9a0f40b68c7ed92a5911171 Mon Sep 17 00:00:00 2001 From: Brian Delaney <68655382+briandelmsft@users.noreply.github.com> Date: Wed, 23 Apr 2025 20:18:42 -0400 Subject: [PATCH 5/8] Update versions.json --- Modules/versions.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/versions.json b/Modules/versions.json index 6d08ddc..63dc63a 100644 --- a/Modules/versions.json +++ b/Modules/versions.json @@ -9,8 +9,8 @@ "RelatedAlerts": "0.3.0", "RunPlaybook": "0.0.1", "ScoringModule": "0.1.0", - "STATConnector": "2.1.0", - "STATFunction": "2.1.0", + "STATConnector": "2.2.0", + "STATFunction": "2.2.0", "TIModule": "0.2.0", "UEBAModule": "0.1.1", "WatchlistModule": "0.1.0" From 3e5a41f5204f8f81dd3eb740979f7b192a11f37f Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Mon, 5 May 2025 09:35:13 -0400 Subject: [PATCH 6/8] update connector for exposure modules --- Connector/connector.json | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/Connector/connector.json b/Connector/connector.json index a7cc9a9..a815065 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -822,16 +822,6 @@ "type": "object", "description": "Device Exposure Module", "properties": { - "RulesDelete": { - "type": "integer", - "format": "int32", - "description": "Count of mail rules with deletion found" - }, - "UsersUnknown": { - "type": "integer", - "format": "int32", - "description": "Count of Users with unknown Out of Office status" - } } } } @@ -900,16 +890,6 @@ "type": "object", "description": "User Exposure Module Body", "properties": { - "RulesDelete": { - "type": "integer", - "format": "int32", - "description": "Count of mail rules with deletion found" - }, - "UsersUnknown": { - "type": "integer", - "format": "int32", - "description": "Count of Users with unknown Out of Office status" - } } } } From c614ceb10a5bb08e5233714e7388246aee17d48c Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Tue, 6 May 2025 10:47:15 -0400 Subject: [PATCH 7/8] Add tags to exposure connector --- Connector/connector.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Connector/connector.json b/Connector/connector.json index a815065..eceb475 100644 --- a/Connector/connector.json +++ b/Connector/connector.json @@ -782,6 +782,16 @@ ], "x-ms-visibility": "advanced" }, + "AddIncidentTags": { + "type": "boolean", + "description": "Add Tags to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, "AddIncidentTask": { "type": "boolean", "description": "Add a task to Microsoft Sentinel Incident", @@ -850,6 +860,16 @@ ], "x-ms-visibility": "advanced" }, + "AddIncidentTags": { + "type": "boolean", + "description": "Add Tags to Microsoft Sentinel Incident", + "title": "", + "enum": [ + true, + false + ], + "x-ms-visibility": "advanced" + }, "AddIncidentTask": { "type": "boolean", "description": "Add a task to Microsoft Sentinel Incident", From 2fb4d574da8e278cbbaa6599ce1e60006dd73e68 Mon Sep 17 00:00:00 2001 From: Brian Delaney Date: Fri, 16 May 2025 12:47:21 -0400 Subject: [PATCH 8/8] update package path --- Deploy/deployui.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Deploy/deployui.json b/Deploy/deployui.json index fde4236..da65714 100644 --- a/Deploy/deployui.json +++ b/Deploy/deployui.json @@ -516,7 +516,7 @@ "type": "Microsoft.Common.TextBox", "label": "STAT Function ZIP Package", "placeholder": "", - "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip", + "defaultValue": "https://github.com/briandelmsft/STAT-Function/releases/download/v2.2.0/stat.zip", "toolTip": "Full path to the STAT Function ZIP deployment package", "constraints": { "required": true, @@ -550,7 +550,7 @@ "STATConnectorName": "[coalesce(steps('namingStep').customNaming.statConnectorName, 'SentinelTriageAssistantv2')]", "STATConnectorDisplayName": "[coalesce(steps('namingStep').customNaming.statConnectorDisplayName, 'STAT v2')]", "storageAccountType": "Standard_LRS", - "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.1.0/stat.zip')]", + "FunctionPackage": "[coalesce(steps('additionalStep').advanced.functionPackage, 'https://github.com/briandelmsft/STAT-Function/releases/download/v2.2.0/stat.zip')]", "MSGraphEndpoint": "[coalesce(steps('apiStep').customApi.graphApi,'graph.microsoft.com')]", "M365Endpoint": "[coalesce(steps('apiStep').customApi.m365Api,'api.security.microsoft.com')]", "MDEEndpoint": "[coalesce(steps('apiStep').customApi.mdeApi,'api.securitycenter.microsoft.com')]",