From c5629dcb7a3bef60eb1fd3f0c6a9940d52805bed Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:21:33 +0100 Subject: [PATCH 01/13] Create readme.md --- .../MDE SmartScreen/readme.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md new file mode 100644 index 00000000..3306b2d9 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md @@ -0,0 +1,32 @@ +# Copilot for Security Plugin: MDE SmartScreen + +### **This KQL plugin enables SOC analysts and engineers to get insights about SmartScreen warning pages and bypasses, using the Defender for Endpoint DeviceEvents table.** + +### Pre-requisites + +- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) +- [Microsoft Defender SmartScreen settings configured](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file MDE_SmartScreen.yaml from this directory. +2. Upload the custom plugin + +#### Skills + +- **GetSmartScreenEvents**: Summarises SmartScreen events over a specified timeframe +- **GetSmartScreenWarningEvents**: Summarises SmartScreen warning events over a specified timeframe +- **GetSmartScreenBypassEvents**: Summarises SmartScreen bypass events over a specified timeframe +- **GetSmartScreenEventsURL**: Fetches a count of SmartScreen events grouped by URL +- **GetSmartScreenWarningEventsURL**: Fetches a count of SmartScreen warning events grouped by URL +- **GetSmartScreenBypassEventsURL**: Fetches a count of SmartScreen bypass events grouped by URL + +#### Example Usage + +1. A desktop engineer is drafting a report for senior leadership about the organisation’s protection against phishing or malware websites and applications. +2. The GetSmartScreenEvents skill is used to get a summary of the SmartScreen events from the past 30 days. +3. The GetSmartScreenBypassEvents skill is used to identify users who are ignored the warning message and may require futher security education and awareness traning. +4. The Generic plugin is used to summarise the previous prompts and provide recommendations about changes to the current configuration. From 4fbd101818ffa4a325211033cbb3b54ed5208674 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:21:53 +0100 Subject: [PATCH 02/13] Create MDE_SmartScreen.yaml --- .../MDE SmartScreen/MDE_SmartScreen.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml new file mode 100644 index 00000000..fa18d9a9 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml @@ -0,0 +1 @@ +add text here From d6753225c2bdd39c2fa1711512621161fe9930c7 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:34:48 +0100 Subject: [PATCH 03/13] Create readme.md --- .../MDE Plug and Play (PnP)/readme.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md new file mode 100644 index 00000000..00f7a41a --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md @@ -0,0 +1,26 @@ +# Copilot for Security Plugin: MDE Plug and Play (PnP) + +### **This KQL plugin enables SOC analysts to get insights about external devices that have been connected to a device, based on the Defender for Endpoint DeviceEvents table.** + +### Pre-requisites + +- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file MDE_Plug_and_Plug.yaml from this directory. +2. Upload the custom plugin + +#### Skills + +- **GetPnPTop25Devices**: Fetches a count of the top 25 PnP devices across the estate +- **GetPnPLeastCommonDevices**: Featches a count of the 25 least common PnP devices which could be anomalous +- **GetPnPEventsFromDevice**: Summarises the PnP connection events from a specific device over a set timeframe + +#### Example Usage + +1. A SOC analyst is investigating a data exfiltration alert and requires further details on the methods used. +2. The GGetPnPEventsFromDevice skill is used to get a summary of the PnP devices connected to a laptop over the past 24 hours. From d65eba3b654372704729cdbec5fdb3da51c2ad3e Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:35:08 +0100 Subject: [PATCH 04/13] Create MDE_Plug_and_Plug.yaml --- .../MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml new file mode 100644 index 00000000..fa18d9a9 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml @@ -0,0 +1 @@ +add text here From 5c910e58ade8a593b96f909457bf7812f0cdd29b Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 3 Oct 2024 10:37:22 +0100 Subject: [PATCH 05/13] Update MDE_Plug_and_Plug.yaml --- .../MDE_Plug_and_Plug.yaml | 91 ++++++++++++++++++- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml index fa18d9a9..cb99e28c 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml @@ -1 +1,90 @@ -add text here +Descriptor: + Name: MDEPlugandPlay + DisplayName: MDE Plug and Play + Description: Skills to query MDE device tables to get insights about plug and play (PnP) events + +SkillGroups: + - Format: KQL + Skills: + - Name: GetPnPEventsFromDevice + DisplayName: Get PnP Events From Device + Description: Summarises the PnP connection events from a specific device over a set timeframe + ExamplePrompt: + - 'PnP' + - 'Plug and Play' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + - Name: devicename + Description: device name or id + Required: true + Settings: + Target: Defender + Template: |- + let Device = "{{devicename}}"; + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where DeviceName =~ Device or DeviceId =~ Device + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project Timestamp, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + - Format: KQL + Skills: + - Name: GetPnPTop25Devices + DisplayName: Get PnP Top 25 Devices + Description: Fetches a count of the top 25 PnP devices across the estate + ExamplePrompt: + - 'PnP' + - 'Plug and Play' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 1 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds) + | top 25 by count_ + - Format: KQL + Skills: + - Name: GetPnPLeastCommonDevices + DisplayName: Get PnP Least Common Devices + Description: Fetches a count of the 25 least common PnP devices which could be anomalous + ExamplePrompt: + - 'PnP' + - 'Plug and Play' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 1 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == "PnpDeviceConnected" + | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds + | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds + | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds) + | top 25 by count_ asc From db514c27e17fe1f470e0b6e493d501cdf76db3fe Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 3 Oct 2024 10:44:44 +0100 Subject: [PATCH 06/13] Update MDE_SmartScreen.yaml --- .../MDE SmartScreen/MDE_SmartScreen.yaml | 160 +++++++++++++++++- 1 file changed, 159 insertions(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml index fa18d9a9..841cf147 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml @@ -1 +1,159 @@ -add text here +Descriptor: + Name: MDESmartScreen + DisplayName: MDE SmartScreen + Description: Skills to query MDE device tables to get insights about SmartScreen events + +SkillGroups: + - Format: KQL + Skills: + - Name: GetSmartScreenEvents + DisplayName: Get SmartScreen Events + Description: Summarises SmartScreen events over a specified timeframe + ExamplePrompt: + - 'SmartScreen' + - 'Blocked Phishing URLs' + - 'Blocked Malware URLs' + - 'Untrusted URLs' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType contains "Smartscreen" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenWarningEvents + DisplayName: Get SmartScreen Warning Events + Description: Summarises SmartScreen warning events over a specified timeframe + ExamplePrompt: + - 'SmartScreen' + - 'SmartScreen Warning' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUrlWarning" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenBypassEvents + DisplayName: Get SmartScreen Bypass Events + Description: Summarises SmartScreen bypass events over a specified timeframe + ExamplePrompt: + - 'SmartScreen' + - 'SmartScreen User Override' + - 'SmartScreen Bypass' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUserOverride" + | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields + - Format: KQL + Skills: + - Name: GetSmartScreenEventsURL + DisplayName: Get SmartScreen Events URL + Description: Fetches a count of SmartScreen events grouped by URL + ExamplePrompt: + - 'SmartScreen' + - 'SmartScreen URLs' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType contains "SmartScreen" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl + - Format: KQL + Skills: + - Name: GetSmartScreenWarningEventsURL + DisplayName: Get SmartScreen Warning Events URL + Description: Fetches a count of SmartScreen warning events grouped by URL + ExamplePrompt: + - 'SmartScreen' + - 'SmartScreen URLs' + - 'SmartScreen Warning' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUrlWarning" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl + - Format: KQL + Skills: + - Name: GetSmartScreenBypassEventsURL + DisplayName: Get SmartScreen Bypass Events URL + Description: Fetches a count of SmartScreen bypass events grouped by URL + ExamplePrompt: + - 'SmartScreen' + - 'SmartScreen URLs' + - 'SmartScreen User Override' + - 'SmartScreen Bypass' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType == @"SmartScreenUserOverride" + | project ActionType, RemoteUrl + | summarize count() by ActionType, RemoteUrl From a9fbe91a4672b55185c6392563709caf5491a1bd Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Wed, 13 Nov 2024 23:07:44 +0000 Subject: [PATCH 07/13] Update MDE_Plug_and_Plug.yaml --- .../MDE_Plug_and_Plug.yaml | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml index cb99e28c..26e7b016 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml @@ -10,8 +10,14 @@ SkillGroups: DisplayName: Get PnP Events From Device Description: Summarises the PnP connection events from a specific device over a set timeframe ExamplePrompt: - - 'PnP' - - 'Plug and Play' + - 'PnP Events' + - 'Plug and Play Events' + - 'Get PnP events from device DEVICENAME from the last 7 days' + - 'Get PnP events from device DEVICENAME from the past 24 hours' + - 'Fetch PnP events from device DEVICENAME from the past 7 days' + - 'Fetch PnP events from device DEVICENAME from the past 24 hours' + - 'List PnP events from device DEVICENAME from the past 7 days' + - 'List PnP events from device DEVICENAME from the past 24 hours' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -40,8 +46,14 @@ SkillGroups: DisplayName: Get PnP Top 25 Devices Description: Fetches a count of the top 25 PnP devices across the estate ExamplePrompt: - - 'PnP' - - 'Plug and Play' + - 'PnP Devices' + - 'Plug and Play Devices' + - 'Get a list of the top 25 PnP devices from the last 24 hours' + - 'Get a list of the top 25 PnP devices from the last 1 day' + - 'Fetch a list of the top 25 PnP devices from the last 24 hours' + - 'Fetch a list of the top 25 PnP devices from the last 1 day' + - 'List the top 25 PnP devices from the last 24 hours' + - 'List the top 25 PnP devices from the last 1 day' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -67,8 +79,16 @@ SkillGroups: DisplayName: Get PnP Least Common Devices Description: Fetches a count of the 25 least common PnP devices which could be anomalous ExamplePrompt: - - 'PnP' - - 'Plug and Play' + - 'PnP Devices' + - 'Plug and Play Devices' + - 'Anomalous PnP' + - 'Anomalous Plug and Play' + - 'Get a list of the 25 least common PnP devices from the last 24 hours' + - 'Get a list of the 25 least common PnP devices from the last 1 day' + - 'Fetch a list of the 25 least common PnP devices from the last 24 hours' + - 'Fetch a list of the 25 least common PnP devices from the last 1 day' + - 'List the 25 least common PnP devices from the last 1 day' + - 'List the 25 least common PnP devices from the last 24 hours' Inputs: - Name: hourorday Description: hours (h) or days (d) From f6c588c9c58facb5e923eb6bde705f74b7c0dd95 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Wed, 13 Nov 2024 23:16:26 +0000 Subject: [PATCH 08/13] Update readme.md --- .../MDE Plug and Play (PnP)/readme.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md index 00f7a41a..85e3a834 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md @@ -2,7 +2,7 @@ ### **This KQL plugin enables SOC analysts to get insights about external devices that have been connected to a device, based on the Defender for Endpoint DeviceEvents table.** -### Pre-requisites +### Prerequisites - [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) - [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) @@ -14,13 +14,21 @@ 1. Obtain the file MDE_Plug_and_Plug.yaml from this directory. 2. Upload the custom plugin +### Plugin Utilisation + #### Skills - **GetPnPTop25Devices**: Fetches a count of the top 25 PnP devices across the estate -- **GetPnPLeastCommonDevices**: Featches a count of the 25 least common PnP devices which could be anomalous +- **GetPnPLeastCommonDevices**: Fetches a count of the 25 least common PnP devices which could be anomalous - **GetPnPEventsFromDevice**: Summarises the PnP connection events from a specific device over a set timeframe +#### Example Prompts + +- Get a list of PnP events from device DEVICENAME from the last 7 days +- Fetch a list of the top 25 PnP devices from the last 24 hours +- List the 25 least common PnP devices from the last 30 days + #### Example Usage 1. A SOC analyst is investigating a data exfiltration alert and requires further details on the methods used. -2. The GGetPnPEventsFromDevice skill is used to get a summary of the PnP devices connected to a laptop over the past 24 hours. +2. The GetPnPEventsFromDevice skill is used to get a summary of the PnP devices connected to a laptop over the past 24 hours. From 6e15984a35bee022615f082cedbb0c17518ed182 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Wed, 13 Nov 2024 23:45:55 +0000 Subject: [PATCH 09/13] Update readme.md --- .../MDE SmartScreen/readme.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md index 3306b2d9..eabf6413 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md @@ -2,7 +2,7 @@ ### **This KQL plugin enables SOC analysts and engineers to get insights about SmartScreen warning pages and bypasses, using the Defender for Endpoint DeviceEvents table.** -### Pre-requisites +### Prerequisites - [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) - [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) @@ -15,6 +15,8 @@ 1. Obtain the file MDE_SmartScreen.yaml from this directory. 2. Upload the custom plugin +### Plugin Utilisation + #### Skills - **GetSmartScreenEvents**: Summarises SmartScreen events over a specified timeframe @@ -24,9 +26,18 @@ - **GetSmartScreenWarningEventsURL**: Fetches a count of SmartScreen warning events grouped by URL - **GetSmartScreenBypassEventsURL**: Fetches a count of SmartScreen bypass events grouped by URL +#### Example Prompts + +- Get a list of SmartScreen events from the past 7 days +- Fetch a list of SmartScreen warning events from the past 24 hours +- List the SmartScreen override events from the past 7 days +- Get a list of URLs identified by SmartScreen from the past 24 hours +- Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days +- List the URLs where the user has bypassed SmartScreen from the past 24 hours + #### Example Usage 1. A desktop engineer is drafting a report for senior leadership about the organisation’s protection against phishing or malware websites and applications. 2. The GetSmartScreenEvents skill is used to get a summary of the SmartScreen events from the past 30 days. -3. The GetSmartScreenBypassEvents skill is used to identify users who are ignored the warning message and may require futher security education and awareness traning. +3. The GetSmartScreenBypassEvents skill is used to identify users who are ignored the warning message and may require further security education and awareness training. 4. The Generic plugin is used to summarise the previous prompts and provide recommendations about changes to the current configuration. From bf2aadfc90bd23892768d97fd3422f7da45e50da Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 14 Nov 2024 00:01:37 +0000 Subject: [PATCH 10/13] Update MDE_SmartScreen.yaml --- .../MDE SmartScreen/MDE_SmartScreen.yaml | 56 ++++++++++++++----- 1 file changed, 41 insertions(+), 15 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml index 841cf147..8bae8693 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml @@ -10,10 +10,13 @@ SkillGroups: DisplayName: Get SmartScreen Events Description: Summarises SmartScreen events over a specified timeframe ExamplePrompt: - - 'SmartScreen' - - 'Blocked Phishing URLs' - - 'Blocked Malware URLs' - - 'Untrusted URLs' + - 'SmartScreen Events' + - 'Get a list of SmartScreen events from the past 24 hours' + - 'Get a list of SmartScreen events from the past 7 days' + - 'Fetch a list of SmartScreen events from the past 24 hours' + - 'Fetch a list of SmartScreen events from the past 7 days' + - 'List the SmartScreen events from the past 24 hours' + - 'List the SmartScreen events from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -36,8 +39,13 @@ SkillGroups: DisplayName: Get SmartScreen Warning Events Description: Summarises SmartScreen warning events over a specified timeframe ExamplePrompt: - - 'SmartScreen' - - 'SmartScreen Warning' + - 'SmartScreen Warning Events' + - 'Get a list of SmartScreen warning events from the past 24 hours' + - 'Get a list of SmartScreen warning events from the past 7 days' + - 'Fetch a list of SmartScreen warning events from the past 24 hours' + - 'Fetch a list of SmartScreen warning events from the past 7 days' + - 'List the SmartScreen warning events from the past 24 hours' + - 'List the SmartScreen warning events from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -60,9 +68,14 @@ SkillGroups: DisplayName: Get SmartScreen Bypass Events Description: Summarises SmartScreen bypass events over a specified timeframe ExamplePrompt: - - 'SmartScreen' - 'SmartScreen User Override' - 'SmartScreen Bypass' + - 'Get a list of SmartScreen bypass events from the past 24 hours' + - 'Get a list of SmartScreen override events from the past 7 days' + - 'Fetch a list of SmartScreen override events from the past 24 hours' + - 'Fetch a list of SmartScreen bypass events from the past 7 days' + - 'List the SmartScreen override events from the past 24 hours' + -' List the SmartScreen bypass events from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -85,8 +98,13 @@ SkillGroups: DisplayName: Get SmartScreen Events URL Description: Fetches a count of SmartScreen events grouped by URL ExamplePrompt: - - 'SmartScreen' - 'SmartScreen URLs' + - 'Get a list of URLs identified by SmartScreen from the past 24 hours' + - 'Get a list of URLs identified by SmartScreen from the past 7 days' + - 'Fetch a list of URLs identified by SmartScreen from the past 24 hours' + - 'Fetch a list of URLs identified by SmartScreen from the past 7 days' + - 'List the URLs identified by SmartScreen from the past 24 hours' + - 'List the URLs identified by SmartScreen from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -110,9 +128,13 @@ SkillGroups: DisplayName: Get SmartScreen Warning Events URL Description: Fetches a count of SmartScreen warning events grouped by URL ExamplePrompt: - - 'SmartScreen' - - 'SmartScreen URLs' - - 'SmartScreen Warning' + - 'SmartScreen URLs Warning' + - 'Get a list of URLs marked with a warning by SmartScreen from the past 24 hours' + - 'Get a list of URLs marked with a warning by SmartScreen from the past 7 days' + - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 24 hours' + - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days' + - 'List the URLs marked with a warning by SmartScreen from the past 24 hours' + - 'List the URLs marked with a warning by SmartScreen from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) @@ -136,10 +158,14 @@ SkillGroups: DisplayName: Get SmartScreen Bypass Events URL Description: Fetches a count of SmartScreen bypass events grouped by URL ExamplePrompt: - - 'SmartScreen' - - 'SmartScreen URLs' - - 'SmartScreen User Override' - - 'SmartScreen Bypass' + - 'SmartScreen URLs User Override' + - 'SmartScreen URLs Bypass' + - 'Get a list of URLs where the user has overridden SmartScreen from the past 24 hours' + - 'Get a list of URLs where the user has bypassed SmartScreen from the past 7 days' + - 'Fetch a list of URLs where the user has overridden SmartScreen from the past 24 hours' + - 'Fetch a list of URLs where the user has bypassed SmartScreen from the past 7 days' + - 'List the URLs where the user has bypassed SmartScreen from the past 24 hours' + - 'List the URLs where the user has overridden SmartScreen from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) From 10dbd269845475a50f166bb9c51a66bf237b3ad6 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Thu, 14 Nov 2024 00:13:07 +0000 Subject: [PATCH 11/13] Update MDE_SmartScreen.yaml --- .../MDE SmartScreen/MDE_SmartScreen.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml index 8bae8693..15ef11a4 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml @@ -75,7 +75,7 @@ SkillGroups: - 'Fetch a list of SmartScreen override events from the past 24 hours' - 'Fetch a list of SmartScreen bypass events from the past 7 days' - 'List the SmartScreen override events from the past 24 hours' - -' List the SmartScreen bypass events from the past 7 days' + - 'List the SmartScreen bypass events from the past 7 days' Inputs: - Name: hourorday Description: hours (h) or days (d) From 0867fcad6bde6f2aa058c5601e2e79806f025ab6 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 23:03:19 +0000 Subject: [PATCH 12/13] Update readme.md --- .../MDE Plug and Play (PnP)/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md index 85e3a834..230ef86c 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md @@ -1,10 +1,10 @@ -# Copilot for Security Plugin: MDE Plug and Play (PnP) +# Security Copilot Plugin: MDE Plug and Play (PnP) ### **This KQL plugin enables SOC analysts to get insights about external devices that have been connected to a device, based on the Defender for Endpoint DeviceEvents table.** ### Prerequisites -- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) - [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) ### Instructions From ca9bea84ff8a87c91ff8704dd03736440a48b6a6 Mon Sep 17 00:00:00 2001 From: Alfonso Greenbrook <157069012+alfonso-greenbrook@users.noreply.github.com> Date: Tue, 4 Feb 2025 23:04:31 +0000 Subject: [PATCH 13/13] Update readme.md --- .../MDE SmartScreen/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md index eabf6413..7a85a47e 100644 --- a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md @@ -1,10 +1,10 @@ -# Copilot for Security Plugin: MDE SmartScreen +# Security Copilot Plugin: MDE SmartScreen ### **This KQL plugin enables SOC analysts and engineers to get insights about SmartScreen warning pages and bypasses, using the Defender for Endpoint DeviceEvents table.** ### Prerequisites -- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) - [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) - [Microsoft Defender SmartScreen settings configured](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings)