Azure · alfonso-greenbrook · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/...osoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml b/...osoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/MDE_Plug_and_Plug.yaml
@@ -0,0 +1,110 @@
+Descriptor:
+  Name: MDEPlugandPlay
+  DisplayName: MDE Plug and Play
+  Description: Skills to query MDE device tables to get insights about plug and play (PnP) events
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: GetPnPEventsFromDevice
+        DisplayName: Get PnP Events From Device
+        Description: Summarises the PnP connection events from a specific device over a set timeframe
+        ExamplePrompt:
+        - 'PnP Events'
+        - 'Plug and Play Events'
+        - 'Get PnP events from device DEVICENAME from the last 7 days'
+        - 'Get PnP events from device DEVICENAME from the past 24 hours'
+        - 'Fetch PnP events from device DEVICENAME from the past 7 days'
+        - 'Fetch PnP events from device DEVICENAME from the past 24 hours'
+        - 'List PnP events from device DEVICENAME from the past 7 days'
+        - 'List PnP events from device DEVICENAME from the past 24 hours'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+          - Name: devicename
+            Description: device name or id
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            let Device = "{{devicename}}";
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where DeviceName =~ Device or DeviceId =~ Device
+            | where ActionType == "PnpDeviceConnected"
+            | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds
+            | project Timestamp, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds
+  - Format: KQL
+    Skills:
+      - Name: GetPnPTop25Devices
+        DisplayName: Get PnP Top 25 Devices
+        Description: Fetches a count of the top 25 PnP devices across the estate
+        ExamplePrompt:
+        - 'PnP Devices'
+        - 'Plug and Play Devices'
+        - 'Get a list of the top 25 PnP devices from the last 24 hours'
+        - 'Get a list of the top 25 PnP devices from the last 1 day'
+        - 'Fetch a list of the top 25 PnP devices from the last 24 hours'
+        - 'Fetch a list of the top 25 PnP devices from the last 1 day'
+        - 'List the top 25 PnP devices from the last 24 hours'
+        - 'List the top 25 PnP devices from the last 1 day'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 1
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == "PnpDeviceConnected"
+            | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds
+            | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds
+            | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds)
+            | top 25 by count_
+  - Format: KQL
+    Skills:
+      - Name: GetPnPLeastCommonDevices
+        DisplayName: Get PnP Least Common Devices
+        Description: Fetches a count of the 25 least common PnP devices which could be anomalous
+        ExamplePrompt:
+        - 'PnP Devices'
+        - 'Plug and Play Devices'
+        - 'Anomalous PnP'
+        - 'Anomalous Plug and Play'
+        - 'Get a list of the 25 least common PnP devices from the last 24 hours'
+        - 'Get a list of the 25 least common PnP devices from the last 1 day'
+        - 'Fetch a list of the 25 least common PnP devices from the last 24 hours'
+        - 'Fetch a list of the 25 least common PnP devices from the last 1 day'
+        - 'List the 25 least common PnP devices from the last 1 day'
+        - 'List the 25 least common PnP devices from the last 24 hours'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 1
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == "PnpDeviceConnected"
+            | extend ClassName=parse_json(AdditionalFields).ClassName, ClassId=parse_json(AdditionalFields).ClassId, PnPDeviceId=parse_json(AdditionalFields).DeviceId, DeviceDescription=parse_json(AdditionalFields).DeviceDescription, VendorIds=parse_json(AdditionalFields).VendorIds
+            | project ClassName, ClassId, PnPDeviceId, DeviceDescription, VendorIds
+            | summarize count() by tostring(ClassName), tostring(ClassId), tostring(PnPDeviceId), tostring(DeviceDescription), tostring(VendorIds)
+            | top 25 by count_ asc
diff --git a/...icrosoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md b/...icrosoft Defender XDR Custom Plugin Scenarios/MDE Plug and Play (PnP)/readme.md
@@ -0,0 +1,34 @@
+# Security Copilot Plugin: MDE Plug and Play (PnP)
+
+### **This KQL plugin enables SOC analysts to get insights about external devices that have been connected to a device, based on the Defender for Endpoint DeviceEvents table.**
+
+### Prerequisites
+
+-   [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file MDE_Plug_and_Plug.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **GetPnPTop25Devices**: Fetches a count of the top 25 PnP devices across the estate
+- **GetPnPLeastCommonDevices**: Fetches a count of the 25 least common PnP devices which could be anomalous  
+- **GetPnPEventsFromDevice**: Summarises the PnP connection events from a specific device over a set timeframe
+
+#### Example Prompts
+
+- Get a list of PnP events from device DEVICENAME from the last 7 days
+- Fetch a list of the top 25 PnP devices from the last 24 hours
+- List the 25 least common PnP devices from the last 30 days
+
+#### Example Usage
+
+1. A SOC analyst is investigating a data exfiltration alert and requires further details on the methods used. 
+2. The GetPnPEventsFromDevice skill is used to get a summary of the PnP devices connected to a laptop over the past 24 hours.
diff --git a/...ugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml b/...ugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/MDE_SmartScreen.yaml
@@ -0,0 +1,185 @@
+Descriptor:
+  Name: MDESmartScreen
+  DisplayName: MDE SmartScreen
+  Description: Skills to query MDE device tables to get insights about SmartScreen events
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenEvents
+        DisplayName: Get SmartScreen Events
+        Description: Summarises SmartScreen events over a specified timeframe
+        ExamplePrompt:
+        - 'SmartScreen Events'
+        - 'Get a list of SmartScreen events from the past 24 hours'
+        - 'Get a list of SmartScreen events from the past 7 days'
+        - 'Fetch a list of SmartScreen events from the past 24 hours'
+        - 'Fetch a list of SmartScreen events from the past 7 days'
+        - 'List the SmartScreen events from the past 24 hours'
+        - 'List the SmartScreen events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType contains "Smartscreen"
+            | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenWarningEvents
+        DisplayName: Get SmartScreen Warning Events
+        Description: Summarises SmartScreen warning events over a specified timeframe
+        ExamplePrompt:
+        - 'SmartScreen Warning Events'
+        - 'Get a list of SmartScreen warning events from the past 24 hours'
+        - 'Get a list of SmartScreen warning events from the past 7 days'
+        - 'Fetch a list of SmartScreen warning events from the past 24 hours'
+        - 'Fetch a list of SmartScreen warning events from the past 7 days'
+        - 'List the SmartScreen warning events from the past 24 hours'
+        - 'List the SmartScreen warning events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == @"SmartScreenUrlWarning"
+            | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenBypassEvents
+        DisplayName: Get SmartScreen Bypass Events
+        Description: Summarises SmartScreen bypass events over a specified timeframe
+        ExamplePrompt:
+        - 'SmartScreen User Override'
+        - 'SmartScreen Bypass'
+        - 'Get a list of SmartScreen bypass events from the past 24 hours'
+        - 'Get a list of SmartScreen override events from the past 7 days'
+        - 'Fetch a list of SmartScreen override events from the past 24 hours'
+        - 'Fetch a list of SmartScreen bypass events from the past 7 days'
+        - 'List the SmartScreen override events from the past 24 hours'
+        - 'List the SmartScreen bypass events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == @"SmartScreenUserOverride"
+            | project DeviceName, ActionType, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountUpn, InitiatingProcessParentFileName, AdditionalFields
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenEventsURL
+        DisplayName: Get SmartScreen Events URL
+        Description: Fetches a count of SmartScreen events grouped by URL
+        ExamplePrompt:
+        - 'SmartScreen URLs'
+        - 'Get a list of URLs identified by SmartScreen from the past 24 hours'
+        - 'Get a list of URLs identified by SmartScreen from the past 7 days'
+        - 'Fetch a list of URLs identified by SmartScreen from the past 24 hours'
+        - 'Fetch a list of URLs identified by SmartScreen from the past 7 days'
+        - 'List the URLs identified by SmartScreen from the past 24 hours'
+        - 'List the URLs identified by SmartScreen from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType contains "SmartScreen"
+            | project ActionType, RemoteUrl
+            | summarize count() by ActionType, RemoteUrl
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenWarningEventsURL
+        DisplayName: Get SmartScreen Warning Events URL
+        Description: Fetches a count of SmartScreen warning events grouped by URL
+        ExamplePrompt:
+        - 'SmartScreen URLs Warning'
+        - 'Get a list of URLs marked with a warning by SmartScreen from the past 24 hours'
+        - 'Get a list of URLs marked with a warning by SmartScreen from the past 7 days'
+        - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 24 hours'
+        - 'Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days'
+        - 'List the URLs marked with a warning by SmartScreen from the past 24 hours'
+        - 'List the URLs marked with a warning by SmartScreen from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == @"SmartScreenUrlWarning"
+            | project ActionType, RemoteUrl
+            | summarize count() by ActionType, RemoteUrl
+  - Format: KQL
+    Skills:
+      - Name: GetSmartScreenBypassEventsURL
+        DisplayName: Get SmartScreen Bypass Events URL
+        Description: Fetches a count of SmartScreen bypass events grouped by URL
+        ExamplePrompt:
+        - 'SmartScreen URLs User Override'
+        - 'SmartScreen URLs Bypass'
+        - 'Get a list of URLs where the user has overridden SmartScreen from the past 24 hours'
+        - 'Get a list of URLs where the user has bypassed SmartScreen from the past 7 days'
+        - 'Fetch a list of URLs where the user has overridden SmartScreen from the past 24 hours'
+        - 'Fetch a list of URLs where the user has bypassed SmartScreen from the past 7 days'
+        - 'List the URLs where the user has bypassed SmartScreen from the past 24 hours'
+        - 'List the URLs where the user has overridden SmartScreen from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType == @"SmartScreenUserOverride"
+            | project ActionType, RemoteUrl
+            | summarize count() by ActionType, RemoteUrl
diff --git a/...lugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md b/...lugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE SmartScreen/readme.md
@@ -0,0 +1,43 @@
+# Security Copilot Plugin: MDE SmartScreen
+
+### **This KQL plugin enables SOC analysts and engineers to get insights about SmartScreen warning pages and bypasses, using the Defender for Endpoint DeviceEvents table.**
+
+### Prerequisites
+
+-   [Security Copilot enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+-   [Microsoft Defender SmartScreen settings configured](https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file MDE_SmartScreen.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **GetSmartScreenEvents**: Summarises SmartScreen events over a specified timeframe
+- **GetSmartScreenWarningEvents**: Summarises SmartScreen warning events over a specified timeframe
+- **GetSmartScreenBypassEvents**: Summarises SmartScreen bypass events over a specified timeframe
+- **GetSmartScreenEventsURL**: Fetches a count of SmartScreen events grouped by URL
+- **GetSmartScreenWarningEventsURL**: Fetches a count of SmartScreen warning events grouped by URL
+- **GetSmartScreenBypassEventsURL**: Fetches a count of SmartScreen bypass events grouped by URL
+
+#### Example Prompts
+
+- Get a list of SmartScreen events from the past 7 days
+- Fetch a list of SmartScreen warning events from the past 24 hours
+- List the SmartScreen override events from the past 7 days
+- Get a list of URLs identified by SmartScreen from the past 24 hours
+- Fetch a list of URLs marked with a warning by SmartScreen from the past 7 days
+- List the URLs where the user has bypassed SmartScreen from the past 24 hours
+
+#### Example Usage
+
+1. A desktop engineer is drafting a report for senior leadership about the organisation’s protection against phishing or malware websites and applications.
+2. The GetSmartScreenEvents skill is used to get a summary of the SmartScreen events from the past 30 days.
+3. The GetSmartScreenBypassEvents skill is used to identify users who are ignored the warning message and may require further security education and awareness training. 
+4. The Generic plugin is used to summarise the previous prompts and provide recommendations about changes to the current configuration.