User Profile
mathurin68
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Azure SPN for Access to Azure Key Vault? Best solution for automated scripts?
For access to the Defender API we are using jupyter lab and an "on premises" Ubuntu server, I have the following credentials we use in our notebooks like this. tenantId = # Paste your tenant ID here appId = # Paste your own app ID here appSecret = # Paste your own app secret here We have a tight budget but I do have access to Azure Key Vault and want to start using it for our notebooks and automated tasks that interact with the Defender API. I'm assuming something like this... tenantId = # Paste your own tenant ID here appId = # Paste your own app ID hereDDDD appSecret = STORE THIS IN AZURE KEY VAULT and retrieve with getsecrets. I'm trying to understand the best, most professional, way to access the Azure Key Vault? I can't use 'az login' for automated task scripts? What's the best way to do this? Do I get our Azure Administrator to create a Azure SPN for me, specifically for access to the Azure Key Vault, assign that SPN to the Access Policy of the Key Vault? And then I use created SPNs clientId, clientSecret, and tenantId to access the key vault and grab the secret like this? credentials = ServicePrincipalCredentials( client_id = '', secret = '', tenant = '', resource = "https://vault.azure.net" token = credentials.token return token['token_type'], token['access_token'] client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) secret_bundle = client.get_secret("https://vault_url", "secret_id", "") print(secret_bundle.value) I'd appreciate any suggestions that could clarify this for me, thanks!!Azure Blob Storage to Defender for Endpoint?
Just staring with Azure, and for various reasons, I'm looking for a way to host a csv file of 'indicators of compromise' on Azure blob storage and read them from 'Defender for Endpoint. Like this ---- let C2Threats = materialize ( (externaldata(report:string) [@"https://storage.blob.core/indicators/sample.csv"] with (format = "txt")) Is there a way to do this safely without an access key? Locking it down by IP Address or URL? Is "Anonymous public read access for containers and blobs." a possibility? Is it possible to lock that down by url or IP address so only Defender and hosts on our network can grab it? Thank you!Enrichment Functions, Device Discovery 'invoke SeenBy()' doesn't work...
In the Device Discovery article, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?msclkid=8a90a286d14e11ec9a5fa5e16c851275&view=o365-worldwide " By invoking the SeenBy function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network." But when I try to run it DeviceInfo | where OnboardingStatus != "Onboarded" | summarize arg_max(Timestamp, *) by DeviceId | where isempty(MergedToDeviceId) | limit 100 | invoke SeenBy() | project DeviceId, DeviceName, DeviceType, SeenBy I get - 'Unknown function: 'SeenBy'. I guess these are 'Enrichment Functions'... so, how do we turn these on so they're available? Thanks!Custom Detections via API
Is there a way to add, update and delete "Custom Detections" in Defender for Endpoint via the api? I don't mean indicators like file hashes, I mean the actual KQL Custom Detections with priorities. There's a notebook for this in Azure Sentinel but I haven't seen anything for Endpoint. Much appreciated!!Defender API question... EmailEvents Table, IdentityInfo table?
Defender API Question.... Is there a way to query the EmailEvents table through an api? Or the Identityinfo table? I'm currently testing through - api-us.securitycenter.microsoft.com and playing around with the available tables to query, there doesn't seem to be much other than the Device* tables. Also, I've got the Microsoft api reference links from here, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-list?view=o365-worldwide. And I'm going through the Azure Sentinel Notebooks and the msticpy notebooks, but I'd appreciate any videos or blogs about exploring the tables and data through the api and jupyter notebooks. This is really super cool!Custom Detections Stopped Running...
We've added a couple hundred 'Custom Detection' rules and I noticed over the last couple of days nothing was running. Then I checked a couple of the rules and noticed they haven't run in in the last 7 days...it’s now March 9th. Is there a setting somewhere? Is this normal without any warning?Manage Microsoft 365 Defender Alerts in Azure Sentinel
We're trying to find a way to manage the 'out of the box' alerts that come with Defender 365 about 95% of which are FP. Is there a way to build some sort of dashboard in Sentinel with alerts? I don't mean incidents, we aren't there yet, I just mean alerts? Preferably, with enough information about the alert that the analyst can make a quick decision and move on... Thanks!!Re: Defender for Endpoint Github/Gitlab Connection for KQL Queries
Hey Jonhed! It's an internal gitlab(our network), the end goal is just to have some lists - 1) Our public IP addresses 2) Objects in our sensitive groups etc. for checking during queries and alerts. That we can use to enhance some of the KQL queries and signatures we use, but, I'd like to have to a way to reasonably secure them in our network. I'm not seeing an easy way to connect them. I don't want to set up an internal pastebin but that may be the only option.Defender for Endpoint Github/Gitlab Connection for KQL Queries
Hello All, We have an internal gitlab that we want to use to share CSV files for ease of input into Microsoft Defender for Endpoint for KQL queries and detections. The CSV’s are used in Microsoft Defender for Endpoint KQL queries like this… ((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superduckto or this externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/A Our first option for storing the queries is an internal gitlab. Being new to MDE, I wasn't sure how we could do it. Would we connect gitlab to Defender like this document states for github and Azure? https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows Thus, allowing Defender to run the KQL queries and grab the 'externaldata(CSVs)' from our gitlab? Thanks!!KQL for Public Facing CVE-2021-44228 Hosts
We came up with the following KQL but are still learning could someone double check our work? DeviceTvmSoftwareVulnerabilities | where CveId == 'CVE-2021-44228' | project DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName, SoftwareVersion, CveId | join kind=inner ( DeviceInfo | project DeviceId, PublicIP, MachineGroup ) on DeviceId | distinct * We're trying to use KQL to determine which of our hosts affected by log4j have public facing IP addresses... Thanks!
