├── Workbooks
└── MDTI-Workbook-Solution
│ ├── mdtiwb.zip
│ ├── ReadMe.md
│ ├── azure_deploy_mdti_workbook.json
│ ├── azuredeploy.json.bak
│ └── azuredeploy.json
├── CODE_OF_CONDUCT.md
├── M365 Advance hunting queries
├── DTI DNS queries from domain controller.txt
├── DTI email based events.txt
├── DTI device based events from resolutions.txt
└── DTI device based events.txt
├── LICENSE
├── SUPPORT.md
├── Notebooks
├── README.md
├── MDTI_Trackers
│ ├── readme.md
│ └── MDTI_Trackers.ipynb
├── MDTI_Cookies
│ ├── readme.md
│ └── MDTI_Cookies.ipynb
├── MDTI_Article
│ ├── readme.md
│ └── MDTI_Article.ipynb
├── MDTI_WHOIS
│ ├── readme.md
│ └── MDTI_WHOIS.ipynb
├── MDTI_Hostpairs
│ ├── readme.md
│ └── MDTI_HostPairs.ipynb
├── MDTI_subdomains
│ ├── readme.md
│ └── MDTI_Subdomains.ipynb
├── MDTI_SSLCerts
│ ├── readme.md
│ └── MDTI_Certs.ipynb
├── MDTI_Components
│ ├── readme.md
│ └── MDTI_Components.ipynb
├── MDTI_Reputation
│ ├── readme.md
│ └── MDTI_Reputation.ipynb
└── MDTI_TypoSquat
│ ├── readme.md
│ └── MDTI_TypoSquat.ipynb
├── MDTIPlaybooks
├── ArticlesNewletter
│ ├── readme.md
│ └── azuredeploy.json
├── MDTI-Data-HostInfo
│ ├── readme.md
│ └── azuredeploy.json
├── MDTI-Automated-TriageCustom
│ └── readme.md
└── MDTIFeed-Anomali
│ └── readme.md
├── README.md
├── SECURITY.md
├── .gitignore
└── Postman Collection
└── MDTI-Postman-Collection.json
/Workbooks/MDTI-Workbook-Solution/mdtiwb.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure/MDTI-Solutions/HEAD/Workbooks/MDTI-Workbook-Solution/mdtiwb.zip
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Microsoft Open Source Code of Conduct
2 |
3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
4 |
5 | Resources:
6 |
7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
10 |
--------------------------------------------------------------------------------
/M365 Advance hunting queries/DTI DNS queries from domain controller.txt:
--------------------------------------------------------------------------------
1 | # Resolution tab export from DTI
2 | # Kusto Queries inside of M365D advanced threat hunting
3 | # for dns queries from domain controllers
4 |
5 |
6 | externaldata (parentHostName:string,childHostName:string,firstSeen:datetime, lastSeen:datetime, attributeCause:string, tags:string)
7 | [@'Replace-with-your-Storage-Generated-SAS-URL-Token']
8 | with (format='csv', ignorefirstrecord = true)
9 | | extend tags = split(tags, '|')
10 | | join kind=inner (
11 | IdentityQueryEvents
12 | | where ActionType contains "dns"
13 | ) on $left.parentHostName == $right.QueryTarget
--------------------------------------------------------------------------------
/M365 Advance hunting queries/DTI email based events.txt:
--------------------------------------------------------------------------------
1 | # Resolution tab export from DTI
2 | # Kusto Queries inside of M365D advanced threat hunting
3 | # for URLs in emails
4 |
5 | let ThreatIntel = materialize(
6 | externaldata (parentHostName:string,childHostName:string,firstSeen:datetime, lastSeen:datetime, attributeCause:string, tags:string)
7 | [@'Replace-with-your-Storage-Generated-SAS-URL-Token']
8 | with (format='csv', ignorefirstrecord = true)
9 | | extend tags = split(tags, '|')
10 | );
11 | union (
12 | // E-mails with URL embedded
13 | ThreatIntel
14 | | join EmailUrlInfo on $left.parentHostName == $right.UrlDomain
15 | ), (
16 | ThreatIntel
17 | | join (
18 | UrlClickEvents
19 | | mv-expand todynamic(UrlChain) to typeof(string)
20 | | extend parentHostName = iff(UrlChain contains '//', tostring(parse_url(UrlChain).Host), UrlChain)
21 | ) on parentHostName
22 | )
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) Microsoft Corporation.
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE
22 |
--------------------------------------------------------------------------------
/SUPPORT.md:
--------------------------------------------------------------------------------
1 | # TODO: The maintainer of this repo has not yet edited this file
2 |
3 | **REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project?
4 |
5 | - **No CSS support:** Fill out this template with information about how to file issues and get help.
6 | - **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps.
7 | - **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide.
8 |
9 | *Then remove this first heading from this SUPPORT.MD file before publishing your repo.*
10 |
11 | # Support
12 |
13 | ## How to file issues and get help
14 |
15 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing
16 | issues before filing new issues to avoid duplicates. For new issues, file your bug or
17 | feature request as a new Issue.
18 |
19 | For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE
20 | FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER
21 | CHANNEL. WHERE WILL YOU HELP PEOPLE?**.
22 |
23 | ## Microsoft Support Policy
24 |
25 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above.
26 |
--------------------------------------------------------------------------------
/Notebooks/README.md:
--------------------------------------------------------------------------------
1 | MDTI API sample Jupyter Notebooks
2 | This repo contains sample notebooks for using the Microsoft Defender Threat Intelligence API.
3 |
4 | These Jupyter Notebooks demonstrate the usage of the MDTI API endpoints that allow users to access their attack surface data easily using Python in an interactive environment.
5 |
6 | Available endpoints/actions: Host Information, Reputations & Score, Components, Cookies, Trackers, Threat Articles, Threat Profiles, Vulnerabilities, Passive DNS
7 |
8 | Instructions to use the notebooks
9 | Recommended - Use VS Code and Extensions Python notebook, follow these steps:
10 |
11 | Install VS Code
12 | Add the Python Extension for VS Code once configured, pip install requests
13 | Add the Jupyter Extension for VS Code
14 |
15 |
16 | Enter in the required MDTI information (tenantId, subscriptionId, resourceGroupName, workspaceName, region, service principal clientId, & clientSecret)
17 | MDTI API documentation can be found here, (https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring)
18 |
19 | Azure AD Authentication details can be found here, https://docs.microsoft.com/en-us/rest/api/azure/#how-to-call-azure-rest-apis-with-postman
20 |
21 | Blog on MDTI APIs in Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
22 |
23 | Suggestions and feedback
24 | We value your feedback. Let us know if you run into any problems or share your suggestions and feedback to MDEASM Go-To-Production (GTP) Customer Experience Engineering (CxE) Team. Email: mdeasm_cxe@microsoft.com
25 |
26 |
--------------------------------------------------------------------------------
/MDTIPlaybooks/ArticlesNewletter/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI ARTICLE NEWSLETTER
2 |
3 | ## Overview
4 | This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti#defender-ti-articles) article data to provide the latest articles generated by Microsoft Defender Threat Intelligence.
5 | ## Prerequisites
6 | 1. This playbook requires API connections created to be utilized so for you to leverage this you need access to the API and its connections to pull the data . You can see how to get access to the API through this link established within a base playbook. (https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
7 |
8 | ## Deployment
9 |
10 |
11 | 
12 |
13 | <
14 | 
15 |
16 |
17 | ## Post-Deployment Instructions
18 | After deploying the playbook, you must authorize the connections leveraged.
19 |
20 | 1. Visit the playbook resource.
21 | 2. Under "Development Tools" (located on the left), click "API Connections".
22 | 3. Ensure each connection has been authorized.
23 |
24 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Project
2 |
3 | > This repo has been populated by an initial template to help get you started. Please
4 | > make sure to update the content to build a great experience for community-building.
5 |
6 | As the maintainer of this project, please make a few updates:
7 |
8 | - Improving this README.MD file to provide a great experience
9 | - Updating SUPPORT.MD with content about this project's support experience
10 | - Understanding the security reporting process in SECURITY.MD
11 | - Remove this section from the README
12 |
13 | ## Contributing
14 |
15 | This project welcomes contributions and suggestions. Most contributions require you to agree to a
16 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
17 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
18 |
19 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide
20 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
21 | provided by the bot. You will only need to do this once across all repos using our CLA.
22 |
23 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
24 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
25 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
26 |
27 | ## Trademarks
28 |
29 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
30 | trademarks or logos is subject to and must follow
31 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
32 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
33 | Any use of third-party trademarks or logos are subject to those third-party's policies.
34 |
--------------------------------------------------------------------------------
/M365 Advance hunting queries/DTI device based events from resolutions.txt:
--------------------------------------------------------------------------------
1 | # Resolution tab export from DTI
2 | # Kusto Queries inside of M365D advanced threat hunting
3 | # for domain resolutions
4 |
5 |
6 | let ThreatIntel = materialize(
7 | externaldata (resolve:string,location:string,network:string,autonomous:string,firstSeen:datetime, lastSeen:datetime, source:string, tags:string)
8 | [@'Replace-with-your-Storage-Generated-SAS-URL-Token']
9 | with (format='csv', ignorefirstrecord = true)
10 | | extend tags = split(tags, '|')
11 | );
12 | union (
13 | // Search for device click events
14 | ThreatIntel
15 | | join kind=inner (
16 | DeviceNetworkEvents
17 | | where isnotempty( RemoteUrl)
18 | | extend resolve = iff(RemoteUrl contains '//', tostring(parse_url(RemoteUrl).Host), RemoteUrl)
19 | ) on resolve
20 | ), (
21 | // BrowserLaunchedToOpenUrl, SmartScreenUrlWarning, ExploitGuardNetworkProtectionBlocked
22 | ThreatIntel
23 | | join kind=inner (
24 | DeviceEvents
25 | | where isnotempty( RemoteUrl)
26 | | extend resolve = iff(RemoteUrl contains '//', tostring(parse_url(RemoteUrl).Host), RemoteUrl)
27 | ) on resolve
28 | ), (
29 | // Mark of the Web
30 | ThreatIntel
31 | | join kind=inner (
32 | DeviceFileEvents
33 | | where isnotempty( FileOriginUrl)
34 | | extend resolve = iff(FileOriginUrl contains '//', tostring(parse_url(FileOriginUrl).Host), FileOriginUrl)
35 | ) on resolve
36 | ), (
37 | // Referrer Mark of the Web
38 | ThreatIntel
39 | | join kind=inner (
40 | DeviceFileEvents
41 | | where isnotempty( FileOriginReferrerUrl)
42 | | extend resolve = iff(FileOriginReferrerUrl contains '//', tostring(parse_url(FileOriginReferrerUrl).Host), FileOriginReferrerUrl)
43 | ) on resolve
44 | ), (
45 | ThreatIntel
46 | | join kind=inner (
47 | // DNS queries
48 | DeviceEvents
49 | | where ActionType == 'DnsQueryResponse'
50 | | extend resolve = tostring(parse_json(AdditionalFields).DnsQueryString)
51 | ) on resolve
52 | )
--------------------------------------------------------------------------------
/M365 Advance hunting queries/DTI device based events.txt:
--------------------------------------------------------------------------------
1 | # Resolution tab export from DTI
2 | # Kusto Queries inside of M365D advanced threat hunting
3 | # for device based events
4 |
5 | let ThreatIntel = materialize(
6 | externaldata (parentHostName:string,childHostName:string,firstSeen:datetime, lastSeen:datetime, attributeCause:string, tags:string)
7 | [@'Replace-with-your-Storage-Generated-SAS-URL-Token']
8 | with (format='csv', ignorefirstrecord = true)
9 | | extend tags = split(tags, '|')
10 | );
11 | union (
12 | // Search for device click events
13 | ThreatIntel
14 | | join kind=inner (
15 | DeviceNetworkEvents
16 | | where isnotempty( RemoteUrl)
17 | | extend parentHostName = iff(RemoteUrl contains '//', tostring(parse_url(RemoteUrl).Host), RemoteUrl)
18 | ) on parentHostName
19 | ), (
20 | // BrowserLaunchedToOpenUrl, SmartScreenUrlWarning, ExploitGuardNetworkProtectionBlocked
21 | ThreatIntel
22 | | join kind=inner (
23 | DeviceEvents
24 | | where isnotempty( RemoteUrl)
25 | | extend parentHostName = iff(RemoteUrl contains '//', tostring(parse_url(RemoteUrl).Host), RemoteUrl)
26 | ) on parentHostName
27 | ), (
28 | // Mark of the Web
29 | ThreatIntel
30 | | join kind=inner (
31 | DeviceFileEvents
32 | | where isnotempty( FileOriginUrl)
33 | | extend parentHostName = iff(FileOriginUrl contains '//', tostring(parse_url(FileOriginUrl).Host), FileOriginUrl)
34 | ) on parentHostName
35 | ), (
36 | // Referrer Mark of the Web
37 | ThreatIntel
38 | | join kind=inner (
39 | DeviceFileEvents
40 | | where isnotempty( FileOriginReferrerUrl)
41 | | extend parentHostName = iff(FileOriginReferrerUrl contains '//', tostring(parse_url(FileOriginReferrerUrl).Host), FileOriginReferrerUrl)
42 | ) on parentHostName
43 | ), (
44 | ThreatIntel
45 | | join kind=inner (
46 | // DNS queries
47 | DeviceEvents
48 | | where ActionType == 'DnsQueryResponse'
49 | | extend parentHostName = tostring(parse_json(AdditionalFields).DnsQueryString)
50 | ) on parentHostName
51 | )
--------------------------------------------------------------------------------
/Workbooks/MDTI-Workbook-Solution/ReadMe.md:
--------------------------------------------------------------------------------
1 | # Deploy-MDTI-Workbook
2 | author: Yaniv Shasha
3 |
4 |
5 | By clicking deploy above you will deploy an Azure Function App with the functions needed to run this project. This version will deploy the functions for MDTI API endpoints.
6 |
7 | ### Prerequisites
8 |
9 | Prior to beginning the installation process, it's crucial to confirm that you have met the following prerequisites:
10 | • You enabled the MDTI API license on your tenant
11 | • You have created an application with a corresponding APP id and Secret.
12 | https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
13 | • You possess the necessary permissions to deploy resources in the designated resource group.
14 |
15 | The above solution will deploy these resources into the target resource group:
16 | • Azure function – will ack as a middle layer between the workbook and the API
17 | • Key vault – will store the API key and secret.
18 | • Workbook – act as the presentation layer.
19 |
20 |
21 | ### Installing
22 |
23 | 1. To install the solution, navigate to this GitHub repository and press deploy to Azure.
24 | In the custom deployment screen add the client ID and app secret you created.
25 | This information will be saved in an Azure key vault.
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 | ### Workbook configuration
35 |
36 | 1. Post installation, navigate to the target Resource group you deploy the solution and copy the azure function name.
37 |
38 | 2. Open the workbook and in the “Deployed-AzureFunction” select the name you copy in step 1
39 |
40 | To set up the MDTI Sentinel Incident View Tab, choose the subscription and workspace for the Sentinel instance. Keep in mind that although the remaining sections of this workbook do not depend on Sentinel data, you must still select a workspace in this tab.
--------------------------------------------------------------------------------
/MDTIPlaybooks/MDTI-Data-HostInfo/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI-DATA-HOSTINFO
2 |
3 | ## Overview
4 | This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation data as well as the HOst API endpoint to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) data.
5 |
6 | ## Prerequisites
7 | 1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
8 | 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
9 |
10 |
11 | ## Deployment
12 |
13 |
15 |
16 |
17 |
18 |
19 |
20 |
21 | ## Post-Deployment Instructions
22 | After deploying the playbook, you must authorize the connections leveraged.
23 |
24 | 1. Visit the playbook resource.
25 | 2. Under "Development Tools" (located on the left), click "API Connections".
26 | 3. Ensure each connection has been authorized.
27 |
28 | **Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
29 |
--------------------------------------------------------------------------------
/MDTIPlaybooks/MDTI-Automated-TriageCustom/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI-Automated-Triage
2 |
3 | ## Overview
4 | This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI [Reputation](https://learn.microsoft.com/en-us/defender/threat-intelligence/reputation-scoring) data. If any indicators are labeled as "suspicious", the incident will be tagged as such and its severity will be marked as "medium". If any indicators are labeled as "malicious", the incident will be tagged as such and its severity will be marked as "high". Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.
5 |
6 | ## Prerequisites
7 | 1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach out to discussMDTI[@]microsoft.com.
8 | 2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
9 |
10 |
11 | ## Deployment
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 | ## Post-Deployment Instructions
21 | After deploying the playbook, you must authorize the connections leveraged.
22 |
23 | 1. Visit the playbook resource.
24 | 2. Under "Development Tools" (located on the left), click "API Connections".
25 | 3. Ensure each connection has been authorized.
26 |
27 | **Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**
28 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## Security
4 |
5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
6 |
7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
8 |
9 | ## Reporting Security Issues
10 |
11 | **Please do not report security vulnerabilities through public GitHub issues.**
12 |
13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
14 |
15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
16 |
17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
18 |
19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
20 |
21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
22 | * Full paths of source file(s) related to the manifestation of the issue
23 | * The location of the affected source code (tag/branch/commit or direct URL)
24 | * Any special configuration required to reproduce the issue
25 | * Step-by-step instructions to reproduce the issue
26 | * Proof-of-concept or exploit code (if possible)
27 | * Impact of the issue, including how an attacker might exploit the issue
28 |
29 | This information will help us triage your report more quickly.
30 |
31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
32 |
33 | ## Preferred Languages
34 |
35 | We prefer all communications to be in English.
36 |
37 | ## Policy
38 |
39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
40 |
41 |
42 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Trackers/readme.md:
--------------------------------------------------------------------------------
1 | # Microsoft Graph API Cookies Retrieval Jupyter Notebook
2 |
3 |
4 | This notebook provides a Python script that leverages the Microsoft Graph Security API to fetch trackers associated with a given domain.
5 |
6 | ## Prerequisites
7 | Before executing the script, ensure the following:
8 |
9 | - Python 3.6+ is installed on your system.
10 | - The necessary Python packages are installed: azure-identity, requests, and os. (Note: You don't need to install the json module as it's part of Python's standard library.)
11 |
12 |
13 | ## Setup
14 | 1. Clone the repository or download the notebook file to your local machine.
15 | 2. Install the required Python packages by executing the following command in your terminal or command prompt:
16 |
17 |
18 | ```Python
19 | pip install azure-identity requests os
20 | ```
21 |
22 | ## Configuration
23 | Open the notebook and adjust the necessary configuration details in the appropriate sections:
24 |
25 | ```Python
26 | credential = ClientSecretCredential(
27 | tenant_id='Your Tenant ID', # Your Azure AD tenant ID
28 | client_id='Your Client ID', # Your Application Client ID
29 | client_secret='Your client secret' # Ensure this secret is fetched securely
30 | )
31 | ```
32 |
33 | Replace the placeholders with your Azure AD tenant ID, application client ID, and client secret. When registering an App within Azure Active Directory, you will obtain the Client ID and Client Secret.
34 |
35 | Ensure your client secret is fetched securely and isn't stored in plain text.
36 |
37 | ## Usage
38 | 1. Launch Jupyter Notebook on your system.
39 | 2. Open the "MDTI_Trackers.ipynb" notebook.
40 | 3. Execute the cells sequentially, adhering to the guidelines and comments provided.
41 | 4. The script will fetch trackers related to the specified domain and display the JSON response from the API.
42 |
43 | ## Results
44 | The notebook will output a JSON response from the API that lists trackers tied to the input domain.
45 |
46 | ## Disclaimer
47 | This notebook is supplied "as-is" and without any warranties. Utilize it responsibly. It communicates with the Microsoft Graph Security API and employs your Azure AD credentials to fetch domain-specific cookies. Always adhere to Microsoft's security recommendations when managing authentication credentials.
48 |
49 | ## Additional Information
50 | ## Additional Information
51 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
52 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
53 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
54 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
55 |
56 | Author:\
57 | Dennis Mercer\
58 | CXE MDTI\
59 | Microsoft Security\
--------------------------------------------------------------------------------
/Notebooks/MDTI_Cookies/readme.md:
--------------------------------------------------------------------------------
1 | # Microsoft Graph API Cookies Retrieval Jupyter Notebook
2 |
3 |
4 | This notebook provides a Python script that leverages the Microsoft Graph Security API to fetch cookies associated with a given domain.
5 |
6 | ## Prerequisites
7 | Before executing the script, ensure the following:
8 |
9 | - Python 3.6+ is installed on your system.
10 | - The necessary Python packages are installed: azure-identity, requests, and os. (Note: You don't need to install the json module as it's part of Python's standard library.)
11 |
12 |
13 | ## Setup
14 | 1. Clone the repository or download the notebook file to your local machine.
15 | 2. Install the required Python packages by executing the following command in your terminal or command prompt:
16 |
17 |
18 | ```Python
19 | pip install azure-identity requests os
20 | ```
21 |
22 | ## Configuration
23 | Open the notebook and adjust the necessary configuration details in the appropriate sections:
24 |
25 | ```Python
26 | credential = ClientSecretCredential(
27 | tenant_id='Your Tenant ID', # Your Azure AD tenant ID
28 | client_id='Your Client ID', # Your Application Client ID
29 | client_secret='Your client secret' # Ensure this secret is fetched securely
30 | )
31 | ```
32 |
33 | Replace the placeholders with your Azure AD tenant ID, application client ID, and client secret. When registering an App within Azure Active Directory, you will obtain the Client ID and Client Secret.
34 |
35 | Ensure your client secret is fetched securely and isn't stored in plain text.
36 |
37 | ## Usage
38 | 1. Launch Jupyter Notebook on your system.
39 | 2. Open the "Microsoft Graph API Cookies Retrieval" notebook.
40 | 3. Execute the cells sequentially, adhering to the guidelines and comments provided.
41 | 4. The script will fetch cookies related to the specified domain and display the JSON response from the API.
42 |
43 | ## Results
44 | The notebook will output a JSON response from the API that lists cookies tied to the input domain.
45 |
46 | ## Disclaimer
47 | This notebook is supplied "as-is" and without any warranties. Utilize it responsibly. It communicates with the Microsoft Graph Security API and employs your Azure AD credentials to fetch domain-specific cookies. Always adhere to Microsoft's security recommendations when managing authentication credentials.
48 |
49 | ## Additional Information
50 | ## Additional Information
51 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
52 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
53 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
54 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
55 |
56 | Author:\
57 | Dennis Mercer\
58 | CXE MDTI\
59 | Microsoft Security\
--------------------------------------------------------------------------------
/Notebooks/MDTI_Article/readme.md:
--------------------------------------------------------------------------------
1 | # Microsoft Graph API Threat Intelligence Articles Retrieval Jupyter Notebook
2 |
3 |
4 | This notebook provides a Python script that leverages the Microsoft Graph Security API to fetch Intel Articles associated with a given article ID or by Threat Group name.
5 |
6 | ## Prerequisites
7 | Before executing the script, ensure the following:
8 |
9 | - Python 3.6+ is installed on your system.
10 | - The necessary Python packages are installed: azure-identity, requests, and os. (Note: You don't need to install the json module as it's part of Python's standard library.)
11 |
12 |
13 | ## Setup
14 | 1. Clone the repository or download the notebook file to your local machine.
15 | 2. Install the required Python packages by executing the following command in your terminal or command prompt:
16 |
17 |
18 | ```Python
19 | pip install azure-identity requests os
20 | ```
21 |
22 | ## Configuration
23 | Open the notebook and adjust the necessary configuration details in the appropriate sections:
24 |
25 | ```Python
26 | credential = ClientSecretCredential(
27 | tenant_id='Your Tenant ID', # Your Azure AD tenant ID
28 | client_id='Your Client ID', # Your Application Client ID
29 | client_secret='Your client secret' # Ensure this secret is fetched securely
30 | )
31 | ```
32 |
33 | Replace the placeholders with your Azure AD tenant ID, application client ID, and client secret. When registering an App within Azure Active Directory, you will obtain the Client ID and Client Secret.
34 |
35 | Ensure your client secret is fetched securely and isn't stored in plain text.
36 |
37 | ## Usage
38 | 1. Launch Jupyter Notebook on your system.
39 | 2. Open the "MDTI_Articles" notebook.
40 | 3. Execute the cells sequentially, adhering to the guidelines and comments provided.
41 | 4. The script will fetch Threat Intel Articles related to the specified domain and display the JSON response from the API.
42 |
43 | ## Results
44 | The notebook will output a JSON response from the API that lists articles tied to the article ID or the Threat Group name.
45 |
46 | ## Disclaimer
47 | This notebook is supplied "as-is" and without any warranties. Utilize it responsibly. It communicates with the Microsoft Graph Security API and employs your Azure AD credentials to fetch domain-specific Intel Articles. Always adhere to Microsoft's security recommendations when managing authentication credentials.
48 |
49 | ## Additional Information
50 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
51 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
52 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
53 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
54 |
55 | Author:\
56 | Dennis Mercer\
57 | CXE MDTI\
58 | Microsoft Security\
--------------------------------------------------------------------------------
/Notebooks/MDTI_WHOIS/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI WHOIS Jupyter Notebook
2 |
3 | MDTI WHOIS Notebook is a Jupyter Notebook Python script that utilizes the Microsoft Graph Security API to retrieve WHOIS Information associated with a given entity.
4 |
5 | ## Prerequisites
6 | Before running the script, ensure you have the following:
7 |
8 | - Python 3.6+ installed on your system.
9 | - The required Python packages installed: azure-identity, requests, json, and os.
10 |
11 | ## Setup
12 | 1. Clone the repository or download the script file to your local machine.
13 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
14 | ```python
15 | Copy code
16 | pip install azure-identity requests json os
17 | ```
18 |
19 | ## Configuration
20 | Open the script file and provide the necessary configuration details in the designated placeholders:
21 |
22 | ```Python
23 | credential = ClientSecretCredential(
24 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
25 | client_id='Place your Client ID Here', # Your Application Client ID
26 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
27 | )
28 |
29 | hostname = "example.com" # Replace with your domain
30 | ```
31 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtained when you register an App with in the Azure Active Directory.
32 |
33 | As with the previous script, ensure that your client secret is properly secured and not stored in plain text.
34 |
35 | ## Usage
36 | Open Jupyter Notebook on your local machine.
37 | Open the MDTI WHOIS Jupyter Notebook.
38 | Run the script cell by cell, following the instructions and comments provided.
39 | The script will retrieve the WHOIS Information for the specified entity and print the JSON response from the API.
40 |
41 | ## Results
42 | The script prints a JSON response from the API containing WHOIS information for the specified domain.
43 |
44 | ## Disclaimer
45 | This script is provided as-is and without warranty. Use it at your own risk. The script interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve host component information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
46 |
47 | Additional Information
48 | ## Additional Information
49 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
50 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
51 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
52 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
53 |
54 | ## Author:
55 | Dennis Mercer\
56 | CXE MDTI\
57 | Microsoft Security
58 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Hostpairs/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI HostPair Jupyter Notebook
2 |
3 | MDTI HostPairs Notebook is a Jupyter Notebook Python script that utilizes the Microsoft Graph Security API to retrieve HostPair Information associated with a given entity.
4 |
5 | ## Prerequisites
6 | Before running the script, ensure you have the following:
7 |
8 | - Python 3.6+ installed on your system.
9 | - The required Python packages installed: azure-identity, requests, json, and os.
10 |
11 | ## Setup
12 | 1. Clone the repository or download the script file to your local machine.
13 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
14 | ```python
15 | Copy code
16 | pip install azure-identity requests json os
17 | ```
18 |
19 | ## Configuration
20 | Open the script file and provide the necessary configuration details in the designated placeholders:
21 |
22 | ```Python
23 | credential = ClientSecretCredential(
24 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
25 | client_id='Place your Client ID Here', # Your Application Client ID
26 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
27 | )
28 |
29 | hostname = "example.com" # Replace with your domain
30 | ```
31 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtained when you register an App with in the Azure Active Directory.
32 |
33 | As with the previous script, ensure that your client secret is properly secured and not stored in plain text.
34 |
35 | ## Usage
36 | Open Jupyter Notebook on your local machine.
37 | Open the MDTI HosPairs Jupyter Notebook.
38 | Run the script cell by cell, following the instructions and comments provided.
39 | The script will retrieve the Subdomains Information for the specified entity and print the JSON response from the API.
40 |
41 | ## Results
42 | The script prints a JSON response from the API containing WHOIS information for the specified domain.
43 |
44 | ## Disclaimer
45 | This script is provided as-is and without warranty. Use it at your own risk. The script interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve host component information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
46 |
47 | Additional Information
48 | ## Additional Information
49 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
50 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
51 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
52 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
53 |
54 | ## Author:
55 | Dennis Mercer\
56 | CXE MDTI\
57 | Microsoft Security
58 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_subdomains/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI Subdomains Jupyter Notebook
2 |
3 | MDTI Subdomains Notebook is a Jupyter Notebook Python script that utilizes the Microsoft Graph Security API to retrieve Subdomains Information associated with a given entity.
4 |
5 | ## Prerequisites
6 | Before running the script, ensure you have the following:
7 |
8 | - Python 3.6+ installed on your system.
9 | - The required Python packages installed: azure-identity, requests, json, and os.
10 |
11 | ## Setup
12 | 1. Clone the repository or download the script file to your local machine.
13 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
14 | ```python
15 | Copy code
16 | pip install azure-identity requests json os
17 | ```
18 |
19 | ## Configuration
20 | Open the script file and provide the necessary configuration details in the designated placeholders:
21 |
22 | ```Python
23 | credential = ClientSecretCredential(
24 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
25 | client_id='Place your Client ID Here', # Your Application Client ID
26 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
27 | )
28 |
29 | hostname = "example.com" # Replace with your domain
30 | ```
31 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtained when you register an App with in the Azure Active Directory.
32 |
33 | As with the previous script, ensure that your client secret is properly secured and not stored in plain text.
34 |
35 | ## Usage
36 | Open Jupyter Notebook on your local machine.
37 | Open the MDTI Subdomains Jupyter Notebook.
38 | Run the script cell by cell, following the instructions and comments provided.
39 | The script will retrieve the Subdomains Information for the specified entity and print the JSON response from the API.
40 |
41 | ## Results
42 | The script prints a JSON response from the API containing WHOIS information for the specified domain.
43 |
44 | ## Disclaimer
45 | This script is provided as-is and without warranty. Use it at your own risk. The script interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve host component information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
46 |
47 | Additional Information
48 | ## Additional Information
49 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
50 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
51 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
52 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
53 |
54 | ## Author:
55 | Dennis Mercer\
56 | CXE MDTI\
57 | Microsoft Security
58 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_SSLCerts/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI SSL Certificate Jupyter Notebook
2 |
3 | MDTI SSL Certificate Notebook is a Jupyter Notebook Python script that utilizes the Microsoft Graph Security API to retrieve SSL Certificates associated with a given entity.
4 |
5 | ## Prerequisites
6 | Before running the script, ensure you have the following:
7 |
8 | - Python 3.6+ installed on your system.
9 | - The required Python packages installed: azure-identity, requests, json, and os.
10 |
11 | ## Setup
12 | 1. Clone the repository or download the script file to your local machine.
13 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
14 | ```python
15 | Copy code
16 | pip install azure-identity requests json os
17 | ```
18 |
19 | ## Configuration
20 | Open the script file and provide the necessary configuration details in the designated placeholders:
21 |
22 | ```Python
23 | Copy code
24 | credential = ClientSecretCredential(
25 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
26 | client_id='Place your Client ID Here', # Your Application Client ID
27 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
28 | )
29 |
30 | hostname = "example.com" # Replace with your domain
31 | ```
32 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtained when you register an App with in the Azure Active Directory.
33 |
34 | As with the previous script, ensure that your client secret is properly secured and not stored in plain text.
35 |
36 | ## Usage
37 | Open Jupyter Notebook on your local machine.
38 | Open the MDTI SSL Certificate Jupyter Notebook.
39 | Run the script cell by cell, following the instructions and comments provided.
40 | The script will retrieve all known SSL Certificates for the specified entity and print the JSON response from the API.
41 |
42 | ## Results
43 | The script prints a JSON response from the API containing host component information for the specified domain. This information includes properties of the host and associated entities.
44 |
45 | ## Disclaimer
46 | This script is provided as-is and without warranty. Use it at your own risk. The script interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve host component information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
47 |
48 | Additional Information
49 | ## Additional Information
50 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
51 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
52 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
53 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
54 |
55 | ## Author:
56 | Dennis Mercer\
57 | CXE MDTI\
58 | Microsoft Security
59 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Components/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI Host Component Information Retrieval Jupyter Notebook
2 |
3 | MDTI Host Component Information Retrieval is a Python script that utilizes the Microsoft Graph Security API to retrieve host component information for a given domain.
4 |
5 | ## Prerequisites
6 | Before running the script, ensure you have the following:
7 |
8 | - Python 3.6+ installed on your system.
9 | - The required Python packages installed: azure-identity, requests, json, and os.
10 |
11 | ## Setup
12 | 1. Clone the repository or download the script file to your local machine.
13 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
14 | ```python
15 | Copy code
16 | pip install azure-identity requests json os
17 | ```
18 |
19 | ## Configuration
20 | Open the script file and provide the necessary configuration details in the designated placeholders:
21 |
22 | ```Python
23 | Copy code
24 | credential = ClientSecretCredential(
25 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
26 | client_id='Place your Client ID Here', # Your Application Client ID
27 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
28 | )
29 |
30 | hostname = "example.com" # Replace with your domain
31 | ```
32 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtained when you register an App with in the Azure Active Directory.
33 |
34 | As with the previous script, ensure that your client secret is properly secured and not stored in plain text.
35 |
36 | ## Usage
37 | Open Jupyter Notebook on your local machine.
38 | Open the MDTI Host Component Information Retrieval script file.
39 | Run the script cell by cell, following the instructions and comments provided.
40 | The script will retrieve host component information for the specified domain and print the JSON response from the API.
41 |
42 | ## Results
43 | The script prints a JSON response from the API containing host component information for the specified domain. This information includes properties of the host and associated entities.
44 |
45 | ## Disclaimer
46 | This script is provided as-is and without warranty. Use it at your own risk. The script interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve host component information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
47 |
48 | Additional Information
49 | ## Additional Information
50 | Azure Libraries for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview \
51 | Microsoft Graph SDK Overview: https://learn.microsoft.com/en-us/graph/sdks/sdks-overview \
52 | Microsoft Learn Threat Inteligence Graph API: https://learn.microsoft.com/en-us/graph/api/resources/security-threatintelligence-overview?view=graph-rest-1.0 \
53 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
54 |
55 | ## Author:
56 | Dennis Mercer\
57 | CXE MDTI\
58 | Microsoft Security
59 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_SSLCerts/MDTI_Certs.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the SSL Certificates DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the SSL Certificate Endpoint and return the SSL Certification Information for a single entity. Additionally, you can use modify this notebook with additional endpoints to add to this notebook.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "code",
22 | "execution_count": null,
23 | "metadata": {},
24 | "outputs": [],
25 | "source": [
26 | "import os\n",
27 | "import requests\n",
28 | "import json\n",
29 | "from azure.identity import ClientSecretCredential\n",
30 | "\n",
31 | "# Create the ClientSecretCredential\n",
32 | "credential = ClientSecretCredential(\n",
33 | " tenant_id= 'Enter your TenantId',\n",
34 | " client_id='Enter your ClientID',\n",
35 | " client_secret='Ener your Client Secret'\n",
36 | ")\n",
37 | "\n",
38 | "# Get the access token\n",
39 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
40 | "# Prepare the request headers\n",
41 | "headers = {\n",
42 | " 'Authorization': 'Bearer ' + access_token,\n",
43 | " 'Content-Type': 'application/json'\n",
44 | "}\n",
45 | "\n",
46 | "# Getting user input and making the Graph API call\n",
47 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
48 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/sslcertificates\"\n",
49 | "\n",
50 | "response = requests.get(ENDPOINT, headers=headers)\n",
51 | "\n",
52 | "if response.status_code == 200:\n",
53 | " data = response.json()\n",
54 | " print(json.dumps(data, indent=4))\n",
55 | "else:\n",
56 | " print(f\"Error {response.status_code}: {response.text}\")"
57 | ]
58 | }
59 | ],
60 | "metadata": {
61 | "language_info": {
62 | "name": "python"
63 | },
64 | "orig_nbformat": 4
65 | },
66 | "nbformat": 4,
67 | "nbformat_minor": 2
68 | }
69 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_WHOIS/MDTI_WHOIS.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the WHOIS DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the WHOIS Endpoint and return the WHOIS Information for a single entity. Additionally, you can use modify this notebook with additional endpoints.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "code",
22 | "execution_count": null,
23 | "metadata": {},
24 | "outputs": [],
25 | "source": [
26 | "import os\n",
27 | "import requests\n",
28 | "import json\n",
29 | "from azure.identity import ClientSecretCredential\n",
30 | "\n",
31 | "credential = ClientSecretCredential(\n",
32 | " tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID\n",
33 | " client_id='Place your Client ID Here', # Your Application Client ID\n",
34 | " client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text\n",
35 | ")\n",
36 | "\n",
37 | "# Get the access token\n",
38 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
39 | "# Prepare the request headers\n",
40 | "headers = {\n",
41 | " 'Authorization': 'Bearer ' + access_token,\n",
42 | " 'Content-Type': 'application/json'\n",
43 | "}\n",
44 | "\n",
45 | "# Getting user input and making the Graph API call\n",
46 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
47 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/WHOIS\"\n",
48 | "\n",
49 | "response = requests.get(ENDPOINT, headers=headers)\n",
50 | "\n",
51 | "if response.status_code == 200:\n",
52 | " data = response.json()\n",
53 | " print(json.dumps(data, indent=4))\n",
54 | "else:\n",
55 | " print(f\"Error {response.status_code}: {response.text}\")"
56 | ]
57 | }
58 | ],
59 | "metadata": {
60 | "language_info": {
61 | "name": "python"
62 | },
63 | "orig_nbformat": 4
64 | },
65 | "nbformat": 4,
66 | "nbformat_minor": 2
67 | }
68 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Hostpairs/MDTI_HostPairs.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the HostPairs DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the HostPairs Endpoint and return the HostPairs Information for a single entity. Additionally, you can use modify this notebook with additional endpoints.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "code",
22 | "execution_count": null,
23 | "metadata": {},
24 | "outputs": [],
25 | "source": [
26 | "import os\n",
27 | "import requests\n",
28 | "import json\n",
29 | "from azure.identity import ClientSecretCredential\n",
30 | "\n",
31 | "credential = ClientSecretCredential(\n",
32 | " tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID\n",
33 | " client_id='Place your Client ID Here', # Your Application Client ID\n",
34 | " client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text\n",
35 | ")\n",
36 | "\n",
37 | "# Get the access token\n",
38 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
39 | "# Prepare the request headers\n",
40 | "headers = {\n",
41 | " 'Authorization': 'Bearer ' + access_token,\n",
42 | " 'Content-Type': 'application/json'\n",
43 | "}\n",
44 | "\n",
45 | "# Getting user input and making the Graph API call\n",
46 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
47 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/hostpairs\"\n",
48 | "\n",
49 | "response = requests.get(ENDPOINT, headers=headers)\n",
50 | "\n",
51 | "if response.status_code == 200:\n",
52 | " data = response.json()\n",
53 | " print(json.dumps(data, indent=4))\n",
54 | "else:\n",
55 | " print(f\"Error {response.status_code}: {response.text}\")"
56 | ]
57 | }
58 | ],
59 | "metadata": {
60 | "language_info": {
61 | "name": "python"
62 | },
63 | "orig_nbformat": 4
64 | },
65 | "nbformat": 4,
66 | "nbformat_minor": 2
67 | }
68 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_subdomains/MDTI_Subdomains.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the Subdomains DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the Subdomains Endpoint and return the Subdomains Information for a single entity. Additionally, you can use modify this notebook with additional endpoints.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "code",
22 | "execution_count": null,
23 | "metadata": {},
24 | "outputs": [],
25 | "source": [
26 | "import os\n",
27 | "import requests\n",
28 | "import json\n",
29 | "from azure.identity import ClientSecretCredential\n",
30 | "\n",
31 | "credential = ClientSecretCredential(\n",
32 | " tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID\n",
33 | " client_id='Place your Client ID Here', # Your Application Client ID\n",
34 | " client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text\n",
35 | ")\n",
36 | "\n",
37 | "# Get the access token\n",
38 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
39 | "# Prepare the request headers\n",
40 | "headers = {\n",
41 | " 'Authorization': 'Bearer ' + access_token,\n",
42 | " 'Content-Type': 'application/json'\n",
43 | "}\n",
44 | "\n",
45 | "# Getting user input and making the Graph API call\n",
46 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
47 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/Subdomains\"\n",
48 | "\n",
49 | "response = requests.get(ENDPOINT, headers=headers)\n",
50 | "\n",
51 | "if response.status_code == 200:\n",
52 | " data = response.json()\n",
53 | " print(json.dumps(data, indent=4))\n",
54 | "else:\n",
55 | " print(f\"Error {response.status_code}: {response.text}\")"
56 | ]
57 | }
58 | ],
59 | "metadata": {
60 | "language_info": {
61 | "name": "python"
62 | },
63 | "orig_nbformat": 4
64 | },
65 | "nbformat": 4,
66 | "nbformat_minor": 2
67 | }
68 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Cookies/MDTI_Cookies.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the Cookies DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\\\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the Cookies Endpoint and return the Cookies for a single entity. Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "markdown",
22 | "metadata": {},
23 | "source": [
24 | "##### List of libraries and packages to import"
25 | ]
26 | },
27 | {
28 | "cell_type": "code",
29 | "execution_count": null,
30 | "metadata": {},
31 | "outputs": [],
32 | "source": [
33 | "import os\n",
34 | "import requests\n",
35 | "import json\n",
36 | "from azure.identity import ClientSecretCredential"
37 | ]
38 | },
39 | {
40 | "cell_type": "code",
41 | "execution_count": null,
42 | "metadata": {},
43 | "outputs": [],
44 | "source": [
45 | "# Create the ClientSecretCredential\n",
46 | "credential = ClientSecretCredential(\n",
47 | " tenant_id= 'Enter your TenantId', # Enter your TenantID\n",
48 | " client_id='Enter your ClientID', # ClientId from the App Registration\n",
49 | " client_secret= 'Enter your client_secret' # You can use different ways to set this variable, it should never exposed to the outside\n",
50 | ")\n",
51 | "\n",
52 | "# Get the access token\n",
53 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
54 | "\n",
55 | "# Prepare the request headers\n",
56 | "headers = {\n",
57 | " 'Authorization': 'Bearer ' + access_token,\n",
58 | " 'Content-Type': 'application/json'\n",
59 | "}\n",
60 | "\n",
61 | "# Getting user input and making the Graph API call\n",
62 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
63 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/cookies\"\n",
64 | "\n",
65 | "response = requests.get(ENDPOINT, headers=headers)\n",
66 | "\n",
67 | "if response.status_code == 200:\n",
68 | " data = response.json()\n",
69 | " print(json.dumps(data, indent=4))\n",
70 | "else:\n",
71 | " print(f\"Error {response.status_code}: {response.text}\")"
72 | ]
73 | }
74 | ],
75 | "metadata": {
76 | "kernelspec": {
77 | "display_name": "Python 3",
78 | "language": "python",
79 | "name": "python3"
80 | },
81 | "language_info": {
82 | "name": "python",
83 | "version": "3.10.11"
84 | },
85 | "orig_nbformat": 4
86 | },
87 | "nbformat": 4,
88 | "nbformat_minor": 2
89 | }
90 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Trackers/MDTI_Trackers.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return the Components DataSet.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\\\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the Cookies Endpoint and return the Cookies for a single entity. Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "markdown",
22 | "metadata": {},
23 | "source": [
24 | "##### List of libraries and packages to import"
25 | ]
26 | },
27 | {
28 | "cell_type": "code",
29 | "execution_count": null,
30 | "metadata": {},
31 | "outputs": [],
32 | "source": [
33 | "import os\n",
34 | "import requests\n",
35 | "import json\n",
36 | "from azure.identity import ClientSecretCredential"
37 | ]
38 | },
39 | {
40 | "cell_type": "code",
41 | "execution_count": null,
42 | "metadata": {},
43 | "outputs": [],
44 | "source": [
45 | "# Create the ClientSecretCredential\n",
46 | "credential = ClientSecretCredential(\n",
47 | " tenant_id= 'Enter your TenantId', # Enter your TenantID\n",
48 | " client_id='Enter your ClientID', # ClientId from the App Registration\n",
49 | " client_secret= 'Enter your client_secret' # You can use different ways to set this variable, if should never exposed this to the outside\n",
50 | ")\n",
51 | "\n",
52 | "# Get the access token\n",
53 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
54 | "\n",
55 | "# Prepare the request headers\n",
56 | "headers = {\n",
57 | " 'Authorization': 'Bearer ' + access_token,\n",
58 | " 'Content-Type': 'application/json'\n",
59 | "}\n",
60 | "\n",
61 | "# Getting user input and making the Graph API call\n",
62 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
63 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/trackers\"\n",
64 | "\n",
65 | "response = requests.get(ENDPOINT, headers=headers)\n",
66 | "\n",
67 | "if response.status_code == 200:\n",
68 | " data = response.json()\n",
69 | " print(json.dumps(data, indent=4))\n",
70 | "else:\n",
71 | " print(f\"Error {response.status_code}: {response.text}\")"
72 | ]
73 | }
74 | ],
75 | "metadata": {
76 | "kernelspec": {
77 | "display_name": "Python 3",
78 | "language": "python",
79 | "name": "python3"
80 | },
81 | "language_info": {
82 | "name": "python",
83 | "version": "3.10.11"
84 | },
85 | "orig_nbformat": 4
86 | },
87 | "nbformat": 4,
88 | "nbformat_minor": 2
89 | }
90 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Reputation/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI Heatmap Jupyter Notebook
2 |
3 | MDTI Heatmap Jupyter Notebook is a Python script that utilizes the Microsoft Graph Security API to retrieve and analyze passive DNS information for a given domain. This notebook generates a heatmap visualization to display the first and last seen dates of various DNS record types (NS, SOA, AAAA) associated with the specified domain.
4 |
5 | ## Prerequisites
6 |
7 | Before running the notebook, ensure you have the following:
8 |
9 | - Python 3.x installed on your system.
10 | - The required Python packages installed: `azure-identity`, `msgraph-sdk-security`, `pandas`, `matplotlib`, `boken` and `seaborn`.
11 |
12 | ## Setup
13 |
14 | 1. Clone the repository or download the notebook file to your local machine.
15 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
16 |
17 | ```python
18 | pip install azure-identity msgraph-sdk-security pandas matplotlib boken seaborn
19 | ```
20 |
21 | ## Configuration
22 |
23 | Open the notebook file and provide the necessary configuration details in the designated placeholders:
24 |
25 | ```Python
26 | credential = ClientSecretCredential(
27 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
28 | client_id='Place your Client ID Here', # Your Application Client ID
29 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
30 | )
31 |
32 | scopes = ['https://graph.microsoft.com/.default'] # Scopes or permissions required for API access
33 | ```
34 |
35 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtain when you register an App with in the Azure Active Directory.
36 |
37 | It's important to ensure that your client secret is properly secured and not stored in plain text. You can place the Client Secret in the Notebook cell when running the Notebook and remove after it's use. You can also use Azure Key Vault (https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts)
38 |
39 | You can also use a file outside of the Notebook to hold the Client Secret and call it in this manner:
40 | ```Python
41 | # Read the client secret from a text file
42 | with open("client_secret.txt", "r") as f:
43 | client_secret = f.read().strip()
44 |
45 | # Set the client secret as an environment variable
46 | os.environ["CLIENT_SECRET"] = client_secret
47 | ```
48 |
49 | ## Usage
50 | Open Jupyter Notebook on your local machine.
51 | Open the MDTI Heatmap Jupyter Notebook file.
52 | Run the notebook cell by cell, following the instructions and comments provided.
53 | When prompted, enter the domain you want to analyze and proceed to the next cell.
54 | The notebook will retrieve passive DNS information for the specified domain and generate a heatmap visualization.
55 | The heatmap will be displayed, showing the first seen and last seen dates of DNS records.
56 | ## Results
57 | The notebook generates a heatmap that represents the occurrence count of DNS records over time. Each cell in the heatmap corresponds to a specific combination of "First Seen" and "Last Seen" dates for a particular DNS record type. The color intensity in each cell indicates the count of occurrences.
58 |
59 | The generated heatmap will be displayed within the notebook.
60 |
61 |
62 | ## Disclaimer
63 | This notebook is provided as-is and without warranty. Use it at your own risk. The notebook interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve passive DNS information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
64 |
65 | ## Additional Information
66 | For information on Azure Libraries (SDK) for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview
67 |
68 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
69 |
70 |
71 | ## Author:
72 | Dennis Mercer\
73 | CXE MDTI\
74 | Microsoft Security
--------------------------------------------------------------------------------
/Notebooks/MDTI_TypoSquat/readme.md:
--------------------------------------------------------------------------------
1 | # OpenSquat API Script
2 |
3 | This repository contains a modified version of the OpenSquat API script. The script allows you to fetch and check the reputation of domains using the OpenSquat API and Microsoft Graph Security API in a Jupyter Notebook environment.
4 |
5 | ## Prerequisites
6 | Before using the script, make sure you have the following prerequisites:
7 |
8 | * OpenSquat API Key: Obtain an API key from OpenSquat and replace 'Enter your OpenSquart API Key' with your actual API key in the script.
9 | * Azure Tenant ID, App Client ID, and Client Secret: You need these credentials to authenticate and access the Microsoft Graph Security API. Replace 'Enter your Azure Tenant ID', 'Enter your App Client ID', and 'Enter your Client Secret' with your actual credentials in the script.
10 |
11 | ## Setup
12 |
13 | 1. Clone the repository or download the notebook file to your local machine.
14 | 2. Install the required Python packages by running the following command in your terminal or command prompt:
15 |
16 | ```python
17 | pip install azure-identity pandas
18 | ```
19 | ## Configuration
20 |
21 | Open the notebook file and provide the necessary configuration details in the designated placeholders:
22 |
23 | ```Python
24 | credential = ClientSecretCredential(
25 | tenant_id='Place your Tenant ID Here', # Your Azure AD tenant ID
26 | client_id='Place your Client ID Here', # Your Application Client ID
27 | client_secret='Place your client secret Here' # Your application client Secret which should never be stored in plain text
28 | )
29 |
30 | scopes = ['https://graph.microsoft.com/.default'] # Scopes or permissions required for API access
31 | ```
32 |
33 | Replace the placeholder values with your Azure AD tenant ID, application client ID, and Client Secret. The Client ID and Client Secret would be obtain when you register an App with in the Azure Active Directory.
34 |
35 | It's important to ensure that your client secret is properly secured and not stored in plain text. You can place the Client Secret in the Notebook cell when running the Notebook and remove after it's use. You can also use Azure Key Vault (https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts)
36 |
37 | You can also use a file outside of the Notebook to hold the Client Secret and call it in this manner:
38 | ```Python
39 | # Read the client secret from a text file
40 | with open("client_secret.txt", "r") as f:
41 | client_secret = f.read().strip()
42 |
43 | # Set the client secret as an environment variable
44 | os.environ["CLIENT_SECRET"] = client_secret
45 | ```
46 |
47 |
48 | ## Usage
49 | 1. Download and open the Jupyter Notebook file (opensquat_api_script.ipynb) in Jupyter Notebook or JupyterLab.
50 |
51 | 2. In the Notebook, locate the following variables at the top of the code cells:
52 |
53 | * X-RapidAPI-Key: Replace 'Enter your OpenSquart API Key' with your actual OpenSquat API key.
54 | * tenant_id: Replace 'Enter your Azure Tenant ID' with your Azure Tenant ID.
55 | * client_id: Replace 'Enter your App Client ID' with your App Client ID.
56 | * client_secret: Replace 'Enter your Client Secret' with your Client Secret.
57 | 3. Run each code cell in the Notebook sequentially by selecting the cell and clicking the "Run" button or using the keyboard shortcut.
58 |
59 | 4. When prompted, enter the keyword you want to search for.
60 |
61 | 5. The script will fetch the domains related to the keyword using the OpenSquat API. It will then check the reputation of each domain using the Microsoft Graph Security API.
62 |
63 | 6. The reputation and score of each domain will be displayed in the output of the Notebook.
64 |
65 | ## Disclaimer
66 | This notebook is provided as-is and without warranty. Use it at your own risk. The notebook interacts with the Microsoft Graph Security API and utilizes your Azure AD credentials to retrieve passive DNS information. Make sure you have the necessary permissions and follow Microsoft's security best practices when handling authentication credentials.
67 |
68 | ## Additional Information
69 | For information on Azure Libraries (SDK) for Python: https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-overview
70 |
71 | What's New: APIs in Microsoft Graph: https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350
72 |
73 | ## Author
74 | Dennis Mercer\
75 | Sr Program Manager\
76 | Microsoft CxE\
77 | Microsoft Defender Threat Intelligence
78 |
--------------------------------------------------------------------------------
/MDTIPlaybooks/MDTIFeed-Anomali/readme.md:
--------------------------------------------------------------------------------
1 | # MDTI Feed To Anomali playbook
2 |
3 | ## Overview
4 | The following Logic app key objective of this integration is to provide enrichment into Anomali from MDTI. This utilizes a few datasets from within MDTI’s broad range of data available.
5 | • Use IoCs feeds provided in MDTI within Anomali to show if artefacts surfaced within Anomali have suspicious activity against them.
6 | • Use the reputation score to show if artefacts have been identified by Microsoft as having a poor or bad reputation
7 | o Value: As mentioned Threat Intelligence collection will always have gaps and there will be differences between providers of what has been seen. The value this provides is if there is an artifact that is surfaced within Anomali if this artifact is in one of the MDTI IoC feeds or has a poor reputation it provides the ability to add this enrichment to Anomali to show that Microsoft have identified malicious activity associated with the artifact.
8 | • IoCs vs Artifacts – Both of these refer to infrastructure like an IP address, host or a domain. A subtle difference to note is an artifact is something observed which is not necessarily associated with malicious activity, but an IoC is not known to be something associated with malicious activity.
9 |
10 |
11 | ## Prerequisites
12 | 1. Microsoft Sentinel Log analytics workspace (https://learn.microsoft.com/en-us/azure/sentinel/overview)
13 | 2. Enabled Microsoft Defender Threat Intelligence Data Connector (https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector)
14 | 3. Azure Logic Apps (https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview)
15 | 4. Microsoft Defender Threat Intelligence API Access and Client App Registered (https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-apis-in-microsoft-graph/ba-p/3780350)
16 | 5. Anomali ThreatStream API Credentials (https://www.anomali.com/marketplace/sdks)
17 |
18 |
19 | ## Deployment
20 |
21 |
22 |
24 |
25 |
26 |
28 |
29 |
30 |
31 | ## Post-Deployment Instructions
32 | After deploying the playbook, you must authorize the connections leveraged.
33 |
34 | 1. Visit the playbook resource.
35 | 2. Under "Development Tools" (located on the left), click "API Connections".
36 | 3. Ensure each connection has been authorized.
37 |
38 |
39 | ## Steps to follow
40 | Integration Steps: Sending Defender Threat Intelligence to Anomali ThreatStream:
41 | The process of sending Defender Threat Intelligence content to Anomali ThreatStream involves the following steps:
42 | 1. On your Microsoft Sentinel environment, proceed to the Data connector Tab, look for the Microsoft Defender Threat Intelligence Connector and connect the source.
43 |
44 | Once the data connector is connected, you can confirm the MDTI Data feeds are successfully being sent by pivoting to the threat intelligence blade. You can see it here:
45 |
46 | Figure: MDTI Indicators on Microsoft Sentinel Threat intelligence blade
47 | 2. To proceed, you need to deploy the logic app which is available on the MDTI GitHub Link. You can find the Deploy to Azure Button on the page and clicking on it will prompt you to provide certain parameters.
48 | Once you have input the parameters, proceed to review and create. Once this has been done, run the logic App.
49 |
50 | 3. Once you run the logic app, it should proceed to query the Log analytics workspace and filter the MDTI feeds, for IP addresses and Host, it will run a reputation scoring against MDTI and depending on your Scoring parameter selection, it will provide a result of IOCs above a certain reputation score. The Result will then be sent as a POST command to Anomali ThreatStream. The successful running of the Logic app and the expected result can be seen as follows.:
51 |
52 | 4. The POST Command then sends the indicator to Anomali ThreatStream and dependent on the rules set on Anomali ThreatStream (auto approval / or Set approval) the indicator would be displayed allowing the user the ability to approve the indicator to be installed in ThreatStream.
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Components/MDTI_Components.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# **Microsoft Defender Threat Intelligence**\n",
8 | "\n",
9 | "## Jupyter NoteBook using the MDTI to return the Components DataSet. \n",
10 | "\n",
11 | "#### Author: \n",
12 | "Dennis Mercer \n",
13 | "Sr Program Manager \n",
14 | "Microsoft CxE MDTI \n",
15 | "\n",
16 | "##### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
17 | "\n",
18 | "##### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
19 | "\n",
20 | "##### With this Jupyter Notebook, you can call the Components Endpoint and return the Components for a single entity. Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
21 | "\n"
22 | ]
23 | },
24 | {
25 | "cell_type": "markdown",
26 | "metadata": {},
27 | "source": [
28 | "________________________________________________________________________________________________________________________________________________________\n",
29 | "### Import Statements for any potential calls within the cells below or any modifications that could be made to the source of the Typosquat Services"
30 | ]
31 | },
32 | {
33 | "cell_type": "code",
34 | "execution_count": null,
35 | "metadata": {},
36 | "outputs": [],
37 | "source": [
38 | "import asyncio\n",
39 | "from azure.identity.aio import ClientSecretCredential\n",
40 | "from kiota_authentication_azure.azure_identity_authentication_provider import AzureIdentityAuthenticationProvider\n",
41 | "from msgraph import GraphRequestAdapter\n",
42 | "from msgraph import GraphServiceClient\n",
43 | "from IPython.display import display\n",
44 | "import ipywidgets as widgets\n",
45 | "from azure.identity import ClientSecretCredential\n",
46 | "import requests\n",
47 | "import json\n"
48 | ]
49 | },
50 | {
51 | "cell_type": "markdown",
52 | "metadata": {},
53 | "source": [
54 | "### This cell will return the JSON response for a single entity (Domain or IP Address)."
55 | ]
56 | },
57 | {
58 | "cell_type": "code",
59 | "execution_count": null,
60 | "metadata": {},
61 | "outputs": [],
62 | "source": [
63 | "\n",
64 | "\n",
65 | "# Get the client secret from a local file\n",
66 | "credential = ClientSecretCredential(\n",
67 | " tenant_id='Enter your TenantID', # Tenant ID\n",
68 | " client_id='Enter your App ClientID', # ClientID from app registration \n",
69 | " client_secret= client_secret # You should not leave the client secret exposed, delete the secret once you have used it or employ Key Vault\n",
70 | ")\n",
71 | "\n",
72 | "# get access token\n",
73 | "token = credential.get_token('https://graph.microsoft.com/.default')\n",
74 | "access_token = token.token\n",
75 | "\n",
76 | "# Define the hostname (i.e., the domain you're interested in)\n",
77 | "hostname = \"example.com\" # Replace with your domain\n",
78 | "\n",
79 | "# Graph API base URL\n",
80 | "graph_api_base_url = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/{hostname}/components\"\n",
81 | "\n",
82 | "# Create headers with Authorization token\n",
83 | "headers = {\n",
84 | " \"Authorization\": f\"Bearer {access_token}\",\n",
85 | " \"Content-Type\": \"application/json\"\n",
86 | "}\n",
87 | "\n",
88 | "# Send GET request to Graph API endpoint\n",
89 | "response = requests.get(graph_api_base_url, headers=headers)\n",
90 | "\n",
91 | "# Check for HTTP errors\n",
92 | "try:\n",
93 | " response.raise_for_status()\n",
94 | "except requests.exceptions.HTTPError as http_err:\n",
95 | " print(f\"HTTP error occurred: {http_err}\")\n",
96 | "except Exception as err:\n",
97 | " print(f\"Other error occurred: {err}\")\n",
98 | "else:\n",
99 | " # Print response content as JSON\n",
100 | " print(json.dumps(json.loads(response.content), indent=4))\n"
101 | ]
102 | }
103 | ],
104 | "metadata": {
105 | "kernelspec": {
106 | "display_name": "Python 3",
107 | "language": "python",
108 | "name": "python3"
109 | },
110 | "language_info": {
111 | "codemirror_mode": {
112 | "name": "ipython",
113 | "version": 3
114 | },
115 | "file_extension": ".py",
116 | "mimetype": "text/x-python",
117 | "name": "python",
118 | "nbconvert_exporter": "python",
119 | "pygments_lexer": "ipython3",
120 | "version": "3.10.11"
121 | },
122 | "orig_nbformat": 4
123 | },
124 | "nbformat": 4,
125 | "nbformat_minor": 2
126 | }
127 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Reputation/MDTI_Reputation.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# **Microsoft Defender Threat Intelligence**\n",
8 | "\n",
9 | "## Jupyter NoteBook using the MDTI to return the Reputation DataSet. There is an example of a single domain/ip address entity and then an example of a bulk Reputation return for classification as well as score.\n",
10 | "\n",
11 | "#### Author: \n",
12 | "Dennis Mercer \n",
13 | "Sr Program Manager \n",
14 | "Microsoft CxE MDTI \n",
15 | "\n",
16 | "##### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
17 | "\n",
18 | "##### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
19 | "\n",
20 | "##### With this Jupyter Notebook, you can call the Reputation Endpoint and return the reputation classification and score. Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
21 | "\n"
22 | ]
23 | },
24 | {
25 | "cell_type": "markdown",
26 | "metadata": {},
27 | "source": [
28 | "_________________________________________________________________________________________________________________________________________________________\n",
29 | "### You will need to install aiohttp and msal for the bulk Reputation request."
30 | ]
31 | },
32 | {
33 | "cell_type": "code",
34 | "execution_count": null,
35 | "metadata": {},
36 | "outputs": [],
37 | "source": [
38 | "pip install aiohttp msal"
39 | ]
40 | },
41 | {
42 | "cell_type": "markdown",
43 | "metadata": {},
44 | "source": [
45 | "________________________________________________________________________________________________________________________________________________________\n",
46 | "### Import Statements for any potential calls within the cells below or any modifications that could be made to the source of the Typosquat Services"
47 | ]
48 | },
49 | {
50 | "cell_type": "code",
51 | "execution_count": null,
52 | "metadata": {},
53 | "outputs": [],
54 | "source": [
55 | "import os\n",
56 | "import requests\n",
57 | "import json\n",
58 | "from azure.identity import ClientSecretCredential"
59 | ]
60 | },
61 | {
62 | "cell_type": "markdown",
63 | "metadata": {},
64 | "source": [
65 | "### This cell will return the JSON response for a single entity (Domain or IP Address)."
66 | ]
67 | },
68 | {
69 | "cell_type": "code",
70 | "execution_count": null,
71 | "metadata": {},
72 | "outputs": [],
73 | "source": [
74 | "# Get the client secret from a local file\n",
75 | "credential = ClientSecretCredential(\n",
76 | " tenant_id='Enter your TenantID', # Tenant ID\n",
77 | " client_id='Enter your App ClientID', # ClientID from app registration \n",
78 | " client_secret= client_secret # You should not leave the client secret exposed, delete the secret once you have used it or employ Key Vault\n",
79 | ")\n",
80 | "\n",
81 | "scopes = ['https://graph.microsoft.com/.default'] # Scopes or permissions required for API access\n",
82 | "\n",
83 | "# Get the access token\n",
84 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
85 | "# Prepare the request headers\n",
86 | "headers = {\n",
87 | " 'Authorization': 'Bearer ' + access_token,\n",
88 | " 'Content-Type': 'application/json'\n",
89 | "}\n",
90 | "\n",
91 | "# Getting user input and making the Graph API call\n",
92 | "hosts = input(\"Please enter the IP address or Domain Name (e.g., 'microsoft.com'): \")\n",
93 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/reputation\"\n",
94 | "\n",
95 | "response = requests.get(ENDPOINT, headers=headers)\n",
96 | "\n",
97 | "if response.status_code == 200:\n",
98 | " data = response.json()\n",
99 | " print(json.dumps(data, indent=4))\n",
100 | "else:\n",
101 | " print(f\"Error {response.status_code}: {response.text}\")\n"
102 | ]
103 | }
104 | ],
105 | "metadata": {
106 | "kernelspec": {
107 | "display_name": "Python 3",
108 | "language": "python",
109 | "name": "python3"
110 | },
111 | "language_info": {
112 | "codemirror_mode": {
113 | "name": "ipython",
114 | "version": 3
115 | },
116 | "file_extension": ".py",
117 | "mimetype": "text/x-python",
118 | "name": "python",
119 | "nbconvert_exporter": "python",
120 | "pygments_lexer": "ipython3",
121 | "version": "3.10.11"
122 | },
123 | "orig_nbformat": 4
124 | },
125 | "nbformat": 4,
126 | "nbformat_minor": 2
127 | }
128 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_Article/MDTI_Article.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# Microsoft Defender Threat Intelligence\n",
8 | "## Jupyter NoteBook using the MDTI to return Threat Intelligence Articles.\n",
9 | "## Author:\n",
10 | "Dennis Mercer\\\n",
11 | "Sr Program Manager\\\n",
12 | "Microsoft CxE MDTI\\\n",
13 | "\n",
14 | "#### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
15 | "#### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
16 | "#### With this Jupyter Notebook, you can call the Articles Endpoint and return the articles based on article ID (ie..'2a83d4e7') or by Threat Group name (ie..'Mint Sandstorm'). Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
17 | "___________________________________________________________________________________________________________________________________________"
18 | ]
19 | },
20 | {
21 | "cell_type": "markdown",
22 | "metadata": {},
23 | "source": [
24 | "#### List of libraries and packages to import"
25 | ]
26 | },
27 | {
28 | "cell_type": "code",
29 | "execution_count": null,
30 | "metadata": {},
31 | "outputs": [],
32 | "source": [
33 | "import os\n",
34 | "import requests\n",
35 | "import json\n",
36 | "from azure.identity import ClientSecretCredential"
37 | ]
38 | },
39 | {
40 | "cell_type": "markdown",
41 | "metadata": {},
42 | "source": [
43 | "#### To query by Article ID"
44 | ]
45 | },
46 | {
47 | "cell_type": "code",
48 | "execution_count": null,
49 | "metadata": {},
50 | "outputs": [],
51 | "source": [
52 | "# Create the ClientSecretCredential\n",
53 | "credential = ClientSecretCredential(\n",
54 | " tenant_id= 'Enter your TenantId', # Enter your TenantID\n",
55 | " client_id='Enter your ClientID', # ClientId from the App Registration\n",
56 | " client_secret= 'Enter your client_secret' # You can use different ways to set this variable, it should never exposed to the outside\n",
57 | ")\n",
58 | "\n",
59 | "# Get the access token\n",
60 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
61 | "\n",
62 | "# Prepare the request headers\n",
63 | "headers = {\n",
64 | " 'Authorization': 'Bearer ' + access_token,\n",
65 | " 'Content-Type': 'application/json'\n",
66 | "}\n",
67 | "\n",
68 | "# Getting user input and making the Graph API call\n",
69 | "articleId = input(\"Please enter the article id (e.g., '2a83d4e7'): \")\n",
70 | "ENDPOINT = f\"https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}\"\n",
71 | "\n",
72 | "response = requests.get(ENDPOINT, headers=headers)\n",
73 | "\n",
74 | "if response.status_code == 200:\n",
75 | " data = response.json()\n",
76 | " print(json.dumps(data, indent=4))\n",
77 | "else:\n",
78 | " print(f\"Error {response.status_code}: {response.text}\")"
79 | ]
80 | },
81 | {
82 | "cell_type": "markdown",
83 | "metadata": {},
84 | "source": [
85 | "#### To Query by Threat Actor name"
86 | ]
87 | },
88 | {
89 | "cell_type": "code",
90 | "execution_count": null,
91 | "metadata": {},
92 | "outputs": [],
93 | "source": [
94 | "# Create the ClientSecretCredential\n",
95 | "credential = ClientSecretCredential(\n",
96 | " tenant_id= 'Enter your TenantId', # Enter your TenantID\n",
97 | " client_id='Enter your ClientID', # ClientId from the App Registration\n",
98 | " client_secret= 'Enter your client_secret' # You can use different ways to set this variable, it should never exposed to the outside\n",
99 | ")\n",
100 | "\n",
101 | "# Get the access token\n",
102 | "access_token = credential.get_token('https://graph.microsoft.com/.default').token\n",
103 | "\n",
104 | "# Prepare the request headers\n",
105 | "headers = {\n",
106 | " 'Authorization': 'Bearer ' + access_token,\n",
107 | " 'Content-Type': 'application/json'\n",
108 | "}\n",
109 | "\n",
110 | "# Getting user input and making the Graph API call\n",
111 | "groupname = input(\"Please enter the Threat Ground name (e.g., 'Mint Sandstorm'): \")\n",
112 | "ENDPOINT = f\"https://graph.microsoft.com/beta/security/threatIntelligence/articles?$count=true&$search={groupname}\"\n",
113 | "\n",
114 | "response = requests.get(ENDPOINT, headers=headers)\n",
115 | "\n",
116 | "if response.status_code == 200:\n",
117 | " data = response.json()\n",
118 | " print(json.dumps(data, indent=4))\n",
119 | "else:\n",
120 | " print(f\"Error {response.status_code}: {response.text}\")"
121 | ]
122 | }
123 | ],
124 | "metadata": {
125 | "kernelspec": {
126 | "display_name": "Python 3",
127 | "language": "python",
128 | "name": "python3"
129 | },
130 | "language_info": {
131 | "name": "python",
132 | "version": "3.10.11"
133 | },
134 | "orig_nbformat": 4
135 | },
136 | "nbformat": 4,
137 | "nbformat_minor": 2
138 | }
139 |
--------------------------------------------------------------------------------
/Notebooks/MDTI_TypoSquat/MDTI_TypoSquat.ipynb:
--------------------------------------------------------------------------------
1 | {
2 | "cells": [
3 | {
4 | "cell_type": "markdown",
5 | "metadata": {},
6 | "source": [
7 | "# **Microsoft Defender Threat Intelligence**\n",
8 | "\n",
9 | "## Jupyter NoteBook using the MDTI and OpenSquat to check for new domains that are potential typosquating and then to run a reputation check on those domains.\n",
10 | "\n",
11 | "#### Author: \n",
12 | "Dennis Mercer \n",
13 | "Sr Program Manager \n",
14 | "Microsoft CxE MDTI \n",
15 | "\n",
16 | "##### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.\n",
17 | "\n",
18 | "##### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.\n",
19 | "\n",
20 | "##### With this Jupyter Notebook, you can call the Reputation Endpoint and return the reputation classification and score. Any domains that are returned by OpenSquat are then checked against the reputation endpoint. You could use other typosquating service, you will have to modify the code to enable that service provider. Additionally, you can use additional APIs to create additional datasets for your notebook.\n",
21 | "\n"
22 | ]
23 | },
24 | {
25 | "cell_type": "markdown",
26 | "metadata": {},
27 | "source": [
28 | "________________________________________________________________________________________________________________________________________________________\n",
29 | "### Import Statements for any potential calls within the cells below or any modifications that could be made to the source of the Typosquat Services"
30 | ]
31 | },
32 | {
33 | "cell_type": "code",
34 | "execution_count": null,
35 | "metadata": {},
36 | "outputs": [],
37 | "source": [
38 | "import asyncio\n",
39 | "from azure.identity.aio import ClientSecretCredential\n",
40 | "from kiota_authentication_azure.azure_identity_authentication_provider import AzureIdentityAuthenticationProvider\n",
41 | "from msgraph import GraphRequestAdapter\n",
42 | "from msgraph import GraphServiceClient\n",
43 | "from IPython.display import display\n",
44 | "import ipywidgets as widgets\n",
45 | "from azure.identity import ClientSecretCredential\n",
46 | "import requests\n",
47 | "import pandas as pd\n",
48 | "import datetime\n",
49 | "from datetime import timedelta\n",
50 | "import matplotlib.pyplot as plt\n",
51 | "import seaborn as sns"
52 | ]
53 | },
54 | {
55 | "cell_type": "markdown",
56 | "metadata": {},
57 | "source": [
58 | "### You will need to add in your own OpenSquat API Key as well as your Azure Tenant ID, Client ID, and Client Secret. For futher information on the method for protecting your Client Secret, please review the readme file for this Notebook."
59 | ]
60 | },
61 | {
62 | "cell_type": "code",
63 | "execution_count": null,
64 | "metadata": {},
65 | "outputs": [],
66 | "source": [
67 | "# The modified OpenSquat API script\n",
68 | "def fetch_domains(keyword):\n",
69 | " url = f\"https://opensquat1.p.rapidapi.com/{keyword}\"\n",
70 | "\n",
71 | " headers = {\n",
72 | " \"X-RapidAPI-Key\": \"Enter your OpenSquart API Key\",\n",
73 | " \"X-RapidAPI-Host\": \"opensquat1.p.rapidapi.com\"\n",
74 | " }\n",
75 | "\n",
76 | " try:\n",
77 | " params = {\n",
78 | " \"q\": keyword\n",
79 | " }\n",
80 | " response = requests.get(url, headers=headers, params=params)\n",
81 | " response.raise_for_status() # Raise an exception for 4xx and 5xx status codes\n",
82 | " data = response.json()\n",
83 | "\n",
84 | " # Extracting the domains from the response\n",
85 | " domains = data.get(\"domains\")\n",
86 | " return domains\n",
87 | " except requests.exceptions.RequestException as error:\n",
88 | " print(error)\n",
89 | "\n",
90 | "# Get the client secret from a local file\n",
91 | "credential = ClientSecretCredential(\n",
92 | " tenant_id='Enter your Azure Tenant ID', \n",
93 | " client_id='Enter your App Client ID',\n",
94 | " client_secret = 'Enter your Client Secret' # You should not leave the client secret exposed, delete the secret one you have used it or employ Key Vault\n",
95 | ")\n",
96 | "\n",
97 | "scopes = ['https://graph.microsoft.com/.default'] # Scopes or permissions required for API access\n",
98 | "\n",
99 | "# The get_reputation function\n",
100 | "async def get_reputation(hostname: str):\n",
101 | " auth_provider = AzureIdentityAuthenticationProvider(credential, scopes=scopes)\n",
102 | " request_adapter = GraphRequestAdapter(auth_provider)\n",
103 | "\n",
104 | " client = GraphServiceClient(request_adapter)\n",
105 | "\n",
106 | " reputation = await client.security.threat_intelligence.hosts.by_host_id(hostname).reputation.get()\n",
107 | " if reputation:\n",
108 | " classification = str(reputation.classification).split('.')[-1] # Get only the classification part\n",
109 | " print(f\"The domain {hostname} is {classification} with a score of {reputation.score}\")\n",
110 | "\n",
111 | "try:\n",
112 | " loop = asyncio.get_running_loop()\n",
113 | "except RuntimeError: # 'RuntimeError: There is no current event loop...'\n",
114 | " loop = None\n",
115 | "\n",
116 | "# Use the fetch_domains function to get the list of domains\n",
117 | "keyword = input(\"Enter the keyword to search: \")\n",
118 | "domains = fetch_domains(keyword)\n",
119 | "\n",
120 | "print(\"Domains to check:\", domains) # Print the array of domains\n",
121 | "\n",
122 | "# Use the get_reputation function to get the reputation of the domains\n",
123 | "for domain in domains:\n",
124 | " if loop and loop.is_running():\n",
125 | " tsk = loop.create_task(get_reputation(domain))\n",
126 | " else:\n",
127 | " asyncio.run(get_reputation(domain))\n"
128 | ]
129 | }
130 | ],
131 | "metadata": {
132 | "language_info": {
133 | "name": "python"
134 | },
135 | "orig_nbformat": 4
136 | },
137 | "nbformat": 4,
138 | "nbformat_minor": 2
139 | }
140 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/Workbooks/MDTI-Workbook-Solution/azure_deploy_mdti_workbook.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "FunctionName": {
6 | "defaultValue": "MDTIWorkbook",
7 | "type": "string",
8 | "metadata": {
9 | "description": "Specifies the name of the Function App."
10 | }
11 | },
12 | "ClientID": {
13 | "type": "string",
14 | "metadata": {
15 | "description": "Specifies Client ID"
16 | }
17 | },
18 | "ClientSecret": {
19 | "type": "securestring",
20 | "metadata": {
21 | "description": "Specifies Client Secret."
22 | }
23 | }
24 | },
25 | "variables": {
26 | "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
27 | "StorageAccountName": "[substring(variables('FunctionName'), 0, 22)]",
28 | "KeyVaultName": "[substring(variables('FunctionName'), 0, 22)]",
29 | "MDTIClientID": "MDTIClientID",
30 | "MDTIClientSecret": "MDTIClientSecret",
31 | "StorageSuffix": "[environment().suffixes.storage]",
32 | "TenantId": "[subscription().tenantId]"
33 | },
34 | "resources": [
35 | {
36 | "type": "Microsoft.Insights/components",
37 | "apiVersion": "2015-05-01",
38 | "name": "[variables('FunctionName')]",
39 | "location": "[resourceGroup().location]",
40 | "kind": "web",
41 | "properties": {
42 | "Application_Type": "web",
43 | "ApplicationId": "[variables('FunctionName')]"
44 | }
45 | },
46 | {
47 | "type": "Microsoft.Storage/storageAccounts",
48 | "apiVersion": "2019-06-01",
49 | "name": "[variables('StorageAccountName')]",
50 | "location": "[resourceGroup().location]",
51 | "sku": {
52 | "name": "Standard_LRS",
53 | "tier": "Standard"
54 | },
55 | "kind": "StorageV2",
56 | "properties": {
57 | "networkAcls": {
58 | "bypass": "AzureServices",
59 | "virtualNetworkRules": [],
60 | "ipRules": [],
61 | "defaultAction": "Allow"
62 | },
63 | "supportsHttpsTrafficOnly": true,
64 | "encryption": {
65 | "services": {
66 | "file": {
67 | "keyType": "Account",
68 | "enabled": true
69 | },
70 | "blob": {
71 | "keyType": "Account",
72 | "enabled": true
73 | }
74 | },
75 | "keySource": "Microsoft.Storage"
76 | }
77 | }
78 | },
79 | {
80 | "type": "Microsoft.Storage/storageAccounts/blobServices",
81 | "apiVersion": "2019-06-01",
82 | "name": "[concat(variables('StorageAccountName'), '/default')]",
83 | "dependsOn": [
84 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
85 | ],
86 | "sku": {
87 | "name": "Standard_LRS",
88 | "tier": "Standard"
89 | },
90 | "properties": {
91 | "cors": {
92 | "corsRules": []
93 | },
94 | "deleteRetentionPolicy": {
95 | "enabled": false
96 | }
97 | }
98 | },
99 | {
100 | "type": "Microsoft.Storage/storageAccounts/fileServices",
101 | "apiVersion": "2019-06-01",
102 | "name": "[concat(variables('StorageAccountName'), '/default')]",
103 | "dependsOn": [
104 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
105 | ],
106 | "sku": {
107 | "name": "Standard_LRS",
108 | "tier": "Standard"
109 | },
110 | "properties": {
111 | "cors": {
112 | "corsRules": []
113 | }
114 | }
115 | },
116 | {
117 | "type": "Microsoft.Web/sites",
118 | "apiVersion": "2018-11-01",
119 | "name": "[variables('FunctionName')]",
120 | "location": "[resourceGroup().location]",
121 | "dependsOn": [
122 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]",
123 | "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
124 | ],
125 | "kind": "functionapp",
126 | "identity": {
127 | "type": "SystemAssigned"
128 | },
129 | "properties": {
130 | "name": "[variables('FunctionName')]",
131 | "httpsOnly": true,
132 | "clientAffinityEnabled": true,
133 | "alwaysOn": true,
134 | "reserved": true,
135 | "siteConfig": {
136 | "powerShellVersion": "~7",
137 | "cors": {
138 | "allowedOrigins": [
139 | "https://portal.azure.com"
140 | ]
141 | }
142 | }
143 |
144 | },
145 | "resources": [
146 | {
147 | "apiVersion": "2018-11-01",
148 | "type": "config",
149 | "name": "appsettings",
150 | "dependsOn": [
151 | "[concat('Microsoft.Web/sites/', variables('FunctionName'))]",
152 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]",
153 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientSecret'))]",
154 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientID'))]"
155 | ],
156 | "properties": {
157 | "FUNCTIONS_EXTENSION_VERSION": "~4",
158 | "FUNCTIONS_WORKER_RUNTIME": "powershell",
159 | "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
160 | "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
161 | "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
162 | "clientId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientID')).secretUriWithVersion, ')')]",
163 | "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientSecret')).secretUriWithVersion, ')')]",
164 | "tenantId": "[variables('TenantId')]",
165 | "Schedule": "0 */10 * * * *",
166 | "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/MDTI-Solutions/workbooks/MDTI-Workbook-Solution/mdtiwb.zip?raw=true"
167 |
168 |
169 | }
170 | }
171 | ]
172 | },
173 | {
174 | "type": "Microsoft.KeyVault/vaults",
175 | "apiVersion": "2016-10-01",
176 | "name": "[variables('KeyVaultName')]",
177 | "location": "[resourceGroup().location]",
178 | "dependsOn": [
179 | "[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
180 | ],
181 | "properties": {
182 | "sku": {
183 | "family": "A",
184 | "name": "Standard"
185 | },
186 | "tenantId": "[subscription().tenantId]",
187 | "accessPolicies": [
188 | {
189 | "tenantId": "[subscription().tenantId]",
190 | "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('FunctionName')),'2019-08-01', 'full').identity.principalId]",
191 | "permissions": {
192 | "secrets": [
193 | "get",
194 | "list"
195 | ]
196 | }
197 | }
198 | ],
199 | "enabledForDeployment": false,
200 | "enabledForDiskEncryption": false,
201 | "enabledForTemplateDeployment": true,
202 | "enableSoftDelete": true
203 | },
204 | "resources": [
205 | {
206 | "type": "secrets",
207 | "apiVersion": "2016-10-01",
208 | "name": "[variables('MDTIClientID')]",
209 | "dependsOn": [
210 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
211 | ],
212 | "properties": {
213 | "value": "[parameters('ClientID')]",
214 | "contentType": "string",
215 | "attributes": {
216 | "enabled": true
217 | }
218 | }
219 | },
220 | {
221 | "type": "secrets",
222 | "apiVersion": "2016-10-01",
223 | "name": "[variables('MDTIClientSecret')]",
224 | "dependsOn": [
225 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
226 | ],
227 | "properties": {
228 | "value": "[parameters('ClientSecret')]",
229 | "contentType": "string",
230 | "attributes": {
231 | "enabled": true
232 | }
233 | }
234 | }
235 | ]
236 | },
237 | {
238 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
239 | "apiVersion": "2019-06-01",
240 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-hosts')]",
241 | "dependsOn": [
242 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
243 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
244 | ],
245 | "properties": {
246 | "publicAccess": "None"
247 | }
248 | },
249 | {
250 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
251 | "apiVersion": "2019-06-01",
252 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-secrets')]",
253 | "dependsOn": [
254 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
255 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
256 | ],
257 | "properties": {
258 | "publicAccess": "None"
259 | }
260 | },
261 |
262 | {
263 | "type": "Microsoft.Resources/deployments",
264 | "apiVersion": "2021-04-01",
265 | "name": "linkedTemplate",
266 | "properties": {
267 | "mode": "Incremental",
268 | "templateLink": {
269 | "uri":"https://raw.githubusercontent.com/Azure/MDTI-Solutions/workbooks/MDTI-Workbook-Solution/MDTI_Workbook.json",
270 | "contentVersion":"1.0.0.0"
271 | }
272 | }
273 | }
274 | ]
275 | }
276 |
277 |
--------------------------------------------------------------------------------
/Workbooks/MDTI-Workbook-Solution/azuredeploy.json.bak:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "FunctionName": {
6 | "defaultValue": "MDTIWorkbook",
7 | "type": "string",
8 | "metadata": {
9 | "description": "Specifies the name of the Function App."
10 | }
11 | },
12 | "ClientID": {
13 | "type": "string",
14 | "metadata": {
15 | "description": "Specifies Client ID"
16 | }
17 | },
18 | "ClientSecret": {
19 | "type": "securestring",
20 | "metadata": {
21 | "description": "Specifies Client Secret."
22 | }
23 | }
24 | },
25 | "variables": {
26 | "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
27 | "StorageAccountName": "[substring(variables('FunctionName'), 0, 22)]",
28 | "KeyVaultName": "[substring(variables('FunctionName'), 0, 22)]",
29 | "MDTIClientID": "MDTIClientID",
30 | "MDTIClientSecret": "MDTIClientSecret",
31 | "StorageSuffix": "[environment().suffixes.storage]",
32 | "TenantId": "[subscription().tenantId]"
33 | },
34 | "resources": [
35 | {
36 | "type": "Microsoft.Insights/components",
37 | "apiVersion": "2015-05-01",
38 | "name": "[variables('FunctionName')]",
39 | "location": "[resourceGroup().location]",
40 | "kind": "web",
41 | "properties": {
42 | "Application_Type": "web",
43 | "ApplicationId": "[variables('FunctionName')]"
44 | }
45 | },
46 | {
47 | "type": "Microsoft.Storage/storageAccounts",
48 | "apiVersion": "2019-06-01",
49 | "name": "[variables('StorageAccountName')]",
50 | "location": "[resourceGroup().location]",
51 | "sku": {
52 | "name": "Standard_LRS",
53 | "tier": "Standard"
54 | },
55 | "kind": "StorageV2",
56 | "properties": {
57 | "networkAcls": {
58 | "bypass": "AzureServices",
59 | "virtualNetworkRules": [],
60 | "ipRules": [],
61 | "defaultAction": "Allow"
62 | },
63 | "supportsHttpsTrafficOnly": true,
64 | "encryption": {
65 | "services": {
66 | "file": {
67 | "keyType": "Account",
68 | "enabled": true
69 | },
70 | "blob": {
71 | "keyType": "Account",
72 | "enabled": true
73 | }
74 | },
75 | "keySource": "Microsoft.Storage"
76 | }
77 | }
78 | },
79 | {
80 | "type": "Microsoft.Storage/storageAccounts/blobServices",
81 | "apiVersion": "2019-06-01",
82 | "name": "[concat(variables('StorageAccountName'), '/default')]",
83 | "dependsOn": [
84 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
85 | ],
86 | "sku": {
87 | "name": "Standard_LRS",
88 | "tier": "Standard"
89 | },
90 | "properties": {
91 | "cors": {
92 | "corsRules": []
93 | },
94 | "deleteRetentionPolicy": {
95 | "enabled": false
96 | }
97 | }
98 | },
99 | {
100 | "type": "Microsoft.Storage/storageAccounts/fileServices",
101 | "apiVersion": "2019-06-01",
102 | "name": "[concat(variables('StorageAccountName'), '/default')]",
103 | "dependsOn": [
104 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
105 | ],
106 | "sku": {
107 | "name": "Standard_LRS",
108 | "tier": "Standard"
109 | },
110 | "properties": {
111 | "cors": {
112 | "corsRules": []
113 | }
114 | }
115 | },
116 | {
117 | "type": "Microsoft.Web/sites",
118 | "apiVersion": "2018-11-01",
119 | "name": "[variables('FunctionName')]",
120 | "location": "[resourceGroup().location]",
121 | "dependsOn": [
122 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]",
123 | "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
124 | ],
125 | "kind": "functionapp",
126 | "identity": {
127 | "type": "SystemAssigned"
128 | },
129 | "properties": {
130 | "name": "[variables('FunctionName')]",
131 | "httpsOnly": true,
132 | "clientAffinityEnabled": true,
133 | "alwaysOn": true,
134 | "reserved": true,
135 | "siteConfig": {
136 | "powerShellVersion": "~7",
137 | "cors": {
138 | "allowedOrigins": [
139 | "https://portal.azure.com"
140 | ]
141 | }
142 | }
143 |
144 | },
145 | "resources": [
146 | {
147 | "apiVersion": "2018-11-01",
148 | "type": "config",
149 | "name": "appsettings",
150 | "dependsOn": [
151 | "[concat('Microsoft.Web/sites/', variables('FunctionName'))]",
152 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]",
153 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientSecret'))]",
154 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientID'))]"
155 | ],
156 | "properties": {
157 | "FUNCTIONS_EXTENSION_VERSION": "~4",
158 | "FUNCTIONS_WORKER_RUNTIME": "powershell",
159 | "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
160 | "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
161 | "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
162 | "clientId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientID')).secretUriWithVersion, ')')]",
163 | "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientSecret')).secretUriWithVersion, ')')]",
164 | "tenantId": "[variables('TenantId')]",
165 | "Schedule": "0 */10 * * * *",
166 | "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/MDTI-Solutions/tree/master/Workbooks/MDTI-Workbook-Solution/mdtiwb.zip?raw=true"
167 |
168 | }
169 | }
170 | ]
171 | },
172 | {
173 | "type": "Microsoft.KeyVault/vaults",
174 | "apiVersion": "2016-10-01",
175 | "name": "[variables('KeyVaultName')]",
176 | "location": "[resourceGroup().location]",
177 | "dependsOn": [
178 | "[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
179 | ],
180 | "properties": {
181 | "sku": {
182 | "family": "A",
183 | "name": "Standard"
184 | },
185 | "tenantId": "[subscription().tenantId]",
186 | "accessPolicies": [
187 | {
188 | "tenantId": "[subscription().tenantId]",
189 | "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('FunctionName')),'2019-08-01', 'full').identity.principalId]",
190 | "permissions": {
191 | "secrets": [
192 | "get",
193 | "list"
194 | ]
195 | }
196 | }
197 | ],
198 | "enabledForDeployment": false,
199 | "enabledForDiskEncryption": false,
200 | "enabledForTemplateDeployment": true,
201 | "enableSoftDelete": true
202 | },
203 | "resources": [
204 | {
205 | "type": "secrets",
206 | "apiVersion": "2016-10-01",
207 | "name": "[variables('MDTIClientID')]",
208 | "dependsOn": [
209 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
210 | ],
211 | "properties": {
212 | "value": "[parameters('ClientID')]",
213 | "contentType": "string",
214 | "attributes": {
215 | "enabled": true
216 | }
217 | }
218 | },
219 | {
220 | "type": "secrets",
221 | "apiVersion": "2016-10-01",
222 | "name": "[variables('MDTIClientSecret')]",
223 | "dependsOn": [
224 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
225 | ],
226 | "properties": {
227 | "value": "[parameters('ClientSecret')]",
228 | "contentType": "string",
229 | "attributes": {
230 | "enabled": true
231 | }
232 | }
233 | }
234 | ]
235 | },
236 | {
237 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
238 | "apiVersion": "2019-06-01",
239 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-hosts')]",
240 | "dependsOn": [
241 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
242 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
243 | ],
244 | "properties": {
245 | "publicAccess": "None"
246 | }
247 | },
248 | {
249 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
250 | "apiVersion": "2019-06-01",
251 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-secrets')]",
252 | "dependsOn": [
253 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
254 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
255 | ],
256 | "properties": {
257 | "publicAccess": "None"
258 | }
259 | },
260 |
261 | {
262 | "type": "Microsoft.Resources/deployments",
263 | "apiVersion": "2021-04-01",
264 | "name": "linkedTemplate",
265 | "properties": {
266 | "mode": "Incremental",
267 | "templateLink": {
268 | "uri":"https://raw.githubusercontent.com/Azure/MDTI-Solutions/master/Workbooks/MDTI-Workbook-Solution/MDTI_Workbook.json",
269 | "contentVersion":"1.0.0.0"
270 | }
271 | }
272 | }
273 | ]
274 | }
275 |
276 |
277 |
--------------------------------------------------------------------------------
/Workbooks/MDTI-Workbook-Solution/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "FunctionName": {
6 | "defaultValue": "MDTIWorkbook",
7 | "type": "string",
8 | "metadata": {
9 | "description": "Specifies the name of the Function App."
10 | }
11 | },
12 | "ClientID": {
13 | "type": "string",
14 | "metadata": {
15 | "description": "Specifies Client ID"
16 | }
17 | },
18 | "ClientSecret": {
19 | "type": "securestring",
20 | "metadata": {
21 | "description": "Specifies Client Secret."
22 | }
23 | }
24 | },
25 | "variables": {
26 | "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
27 | "StorageAccountName": "[substring(variables('FunctionName'), 0, 22)]",
28 | "KeyVaultName": "[substring(variables('FunctionName'), 0, 22)]",
29 | "MDTIClientID": "MDTIClientID",
30 | "MDTIClientSecret": "MDTIClientSecret",
31 | "StorageSuffix": "[environment().suffixes.storage]",
32 | "TenantId": "[subscription().tenantId]"
33 | },
34 | "resources": [
35 | {
36 | "type": "Microsoft.Insights/components",
37 | "apiVersion": "2015-05-01",
38 | "name": "[variables('FunctionName')]",
39 | "location": "[resourceGroup().location]",
40 | "kind": "web",
41 | "properties": {
42 | "Application_Type": "web",
43 | "ApplicationId": "[variables('FunctionName')]"
44 | }
45 | },
46 | {
47 | "type": "Microsoft.Storage/storageAccounts",
48 | "apiVersion": "2019-06-01",
49 | "name": "[variables('StorageAccountName')]",
50 | "location": "[resourceGroup().location]",
51 | "sku": {
52 | "name": "Standard_LRS",
53 | "tier": "Standard"
54 | },
55 | "kind": "StorageV2",
56 | "properties": {
57 | "networkAcls": {
58 | "bypass": "AzureServices",
59 | "virtualNetworkRules": [],
60 | "ipRules": [],
61 | "defaultAction": "Allow"
62 | },
63 | "supportsHttpsTrafficOnly": true,
64 | "encryption": {
65 | "services": {
66 | "file": {
67 | "keyType": "Account",
68 | "enabled": true
69 | },
70 | "blob": {
71 | "keyType": "Account",
72 | "enabled": true
73 | }
74 | },
75 | "keySource": "Microsoft.Storage"
76 | }
77 | }
78 | },
79 | {
80 | "type": "Microsoft.Storage/storageAccounts/blobServices",
81 | "apiVersion": "2019-06-01",
82 | "name": "[concat(variables('StorageAccountName'), '/default')]",
83 | "dependsOn": [
84 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
85 | ],
86 | "sku": {
87 | "name": "Standard_LRS",
88 | "tier": "Standard"
89 | },
90 | "properties": {
91 | "cors": {
92 | "corsRules": []
93 | },
94 | "deleteRetentionPolicy": {
95 | "enabled": false
96 | }
97 | }
98 | },
99 | {
100 | "type": "Microsoft.Storage/storageAccounts/fileServices",
101 | "apiVersion": "2019-06-01",
102 | "name": "[concat(variables('StorageAccountName'), '/default')]",
103 | "dependsOn": [
104 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
105 | ],
106 | "sku": {
107 | "name": "Standard_LRS",
108 | "tier": "Standard"
109 | },
110 | "properties": {
111 | "cors": {
112 | "corsRules": []
113 | }
114 | }
115 | },
116 | {
117 | "type": "Microsoft.Web/sites",
118 | "apiVersion": "2018-11-01",
119 | "name": "[variables('FunctionName')]",
120 | "location": "[resourceGroup().location]",
121 | "dependsOn": [
122 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]",
123 | "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
124 | ],
125 | "kind": "functionapp",
126 | "identity": {
127 | "type": "SystemAssigned"
128 | },
129 | "properties": {
130 | "name": "[variables('FunctionName')]",
131 | "httpsOnly": true,
132 | "clientAffinityEnabled": true,
133 | "alwaysOn": true,
134 | "reserved": true,
135 | "siteConfig": {
136 | "powerShellVersion": "~7",
137 | "cors": {
138 | "allowedOrigins": [
139 | "https://portal.azure.com"
140 | ]
141 | }
142 | }
143 |
144 | },
145 | "resources": [
146 | {
147 | "apiVersion": "2018-11-01",
148 | "type": "config",
149 | "name": "appsettings",
150 | "dependsOn": [
151 | "[concat('Microsoft.Web/sites/', variables('FunctionName'))]",
152 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]",
153 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientSecret'))]",
154 | "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('KeyVaultName'), variables('MDTIClientID'))]"
155 | ],
156 | "properties": {
157 | "FUNCTIONS_EXTENSION_VERSION": "~4",
158 | "FUNCTIONS_WORKER_RUNTIME": "powershell",
159 | "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
160 | "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
161 | "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('StorageAccountName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName')), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
162 | "clientId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientID')).secretUriWithVersion, ')')]",
163 | "clientSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('MDTIClientSecret')).secretUriWithVersion, ')')]",
164 | "tenantId": "[variables('TenantId')]",
165 | "Schedule": "0 */10 * * * *",
166 | "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/MDTI-Solutions/blob/master/Workbooks/MDTI-Workbook-Solution/mdtiwb.zip?raw=true"
167 |
168 |
169 | }
170 | }
171 | ]
172 | },
173 | {
174 | "type": "Microsoft.KeyVault/vaults",
175 | "apiVersion": "2016-10-01",
176 | "name": "[variables('KeyVaultName')]",
177 | "location": "[resourceGroup().location]",
178 | "dependsOn": [
179 | "[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
180 | ],
181 | "properties": {
182 | "sku": {
183 | "family": "A",
184 | "name": "Standard"
185 | },
186 | "tenantId": "[subscription().tenantId]",
187 | "accessPolicies": [
188 | {
189 | "tenantId": "[subscription().tenantId]",
190 | "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('FunctionName')),'2019-08-01', 'full').identity.principalId]",
191 | "permissions": {
192 | "secrets": [
193 | "get",
194 | "list"
195 | ]
196 | }
197 | }
198 | ],
199 | "enabledForDeployment": false,
200 | "enabledForDiskEncryption": false,
201 | "enabledForTemplateDeployment": true,
202 | "enableSoftDelete": true
203 | },
204 | "resources": [
205 | {
206 | "type": "secrets",
207 | "apiVersion": "2016-10-01",
208 | "name": "[variables('MDTIClientID')]",
209 | "dependsOn": [
210 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
211 | ],
212 | "properties": {
213 | "value": "[parameters('ClientID')]",
214 | "contentType": "string",
215 | "attributes": {
216 | "enabled": true
217 | }
218 | }
219 | },
220 | {
221 | "type": "secrets",
222 | "apiVersion": "2016-10-01",
223 | "name": "[variables('MDTIClientSecret')]",
224 | "dependsOn": [
225 | "[resourceId('Microsoft.KeyVault/vaults/', variables('KeyVaultName'))]"
226 | ],
227 | "properties": {
228 | "value": "[parameters('ClientSecret')]",
229 | "contentType": "string",
230 | "attributes": {
231 | "enabled": true
232 | }
233 | }
234 | }
235 | ]
236 | },
237 | {
238 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
239 | "apiVersion": "2019-06-01",
240 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-hosts')]",
241 | "dependsOn": [
242 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
243 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
244 | ],
245 | "properties": {
246 | "publicAccess": "None"
247 | }
248 | },
249 | {
250 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
251 | "apiVersion": "2019-06-01",
252 | "name": "[concat(variables('StorageAccountName'), '/default/azure-webjobs-secrets')]",
253 | "dependsOn": [
254 | "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('StorageAccountName'), 'default')]",
255 | "[resourceId('Microsoft.Storage/storageAccounts', variables('StorageAccountName'))]"
256 | ],
257 | "properties": {
258 | "publicAccess": "None"
259 | }
260 | },
261 |
262 | {
263 | "type": "Microsoft.Resources/deployments",
264 | "apiVersion": "2021-04-01",
265 | "name": "linkedTemplate",
266 | "properties": {
267 | "mode": "Incremental",
268 | "templateLink": {
269 | "uri":"https://raw.githubusercontent.com/Azure/MDTI-Solutions/master/Workbooks/MDTI-Workbook-Solution/MDTI_Workbook.json",
270 | "contentVersion":"1.0.0.0"
271 | }
272 | }
273 | }
274 | ]
275 | }
276 |
277 |
278 |
--------------------------------------------------------------------------------
/MDTIPlaybooks/ArticlesNewletter/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "PlaybookName": {
6 | "defaultValue": "ArticlesNewletter",
7 | "type": "string"
8 | },
9 | "ClientID": {
10 | "type": "string",
11 | "metadata": {
12 | "description": "Enter value for ClientID"
13 | }
14 | },
15 | "Secret": {
16 | "type": "string",
17 | "metadata": {
18 | "description": "Enter value for Secret"
19 | }
20 | },
21 | "Tenant": {
22 | "type": "string",
23 | "metadata": {
24 | "description": "Enter value for Tenant"
25 | }
26 | },
27 | "emailto": {
28 | "type": "string",
29 | "metadata": {
30 | "description": "Enter value for emailto"
31 | }
32 | }
33 | },
34 | "variables": {
35 | "Office365ConnectionName": "[concat('Office365-', parameters('PlaybookName'))]"
36 | },
37 | "resources": [
38 | {
39 | "properties": {
40 | "provisioningState": "Succeeded",
41 | "state": "Enabled",
42 | "definition": {
43 | "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
44 | "contentVersion": "1.0.0.0",
45 | "parameters": {
46 | "$connections": {
47 | "defaultValue": {
48 | },
49 | "type": "Object"
50 | },
51 | "ClientID": {
52 | "defaultValue": "[parameters('ClientID')]",
53 | "type": "string"
54 | },
55 | "Secret": {
56 | "defaultValue": "[parameters('Secret')]",
57 | "type": "string"
58 | },
59 | "Tenant": {
60 | "defaultValue": "[parameters('Tenant')]",
61 | "type": "string"
62 | },
63 | "emailto": {
64 | "defaultValue": "[parameters('emailto')]",
65 | "type": "string"
66 | }
67 | },
68 | "triggers": {
69 | "Recurrence": {
70 | "recurrence": {
71 | "frequency": "Day",
72 | "interval": 1
73 | },
74 | "evaluatedRecurrence": {
75 | "frequency": "Day",
76 | "interval": 1
77 | },
78 | "type": "Recurrence"
79 | }
80 | },
81 | "actions": {
82 | "Days": {
83 | "runAfter": {
84 | },
85 | "type": "InitializeVariable",
86 | "inputs": {
87 | "variables": [
88 | {
89 | "name": "Days",
90 | "type": "string",
91 | "value": "7"
92 | }
93 | ]
94 | }
95 | },
96 | "EmailTo": {
97 | "runAfter": {
98 | "application": [
99 | "Succeeded"
100 | ]
101 | },
102 | "type": "InitializeVariable",
103 | "inputs": {
104 | "variables": [
105 | {
106 | "name": "EmailTo",
107 | "type": "string"
108 | }
109 | ]
110 | }
111 | },
112 | "For_each": {
113 | "foreach": "@body('Parse_JSON')?['value']",
114 | "actions": {
115 | "Condition": {
116 | "actions": {
117 | "Append_to_array_variable": {
118 | "runAfter": {
119 | "Compose": [
120 | "Succeeded"
121 | ]
122 | },
123 | "type": "AppendToArrayVariable",
124 | "inputs": {
125 | "name": "article",
126 | "value": "@outputs('Compose')"
127 | }
128 | },
129 | "Compose": {
130 | "runAfter": {
131 | },
132 | "type": "Compose",
133 | "inputs": {
134 | "ArticleName": "@{items('For_each')?['title']}",
135 | "Article_URL": "https://ti.defender.microsoft.com/articles/@{items('For_each')['id']}",
136 | "Created Time ": "@{items('For_each')?['createdDateTime']}",
137 | "Tags ": "@{items('For_each')?['tags']}"
138 | }
139 | }
140 | },
141 | "runAfter": {
142 | },
143 | "expression": {
144 | "and": [
145 | {
146 | "greater": [
147 | "@items('For_each')?['createdDateTime']",
148 | "@variables('time')"
149 | ]
150 | }
151 | ]
152 | },
153 | "type": "If"
154 | },
155 | "Create_HTML_table": {
156 | "runAfter": {
157 | "Condition": [
158 | "Succeeded"
159 | ]
160 | },
161 | "type": "Table",
162 | "inputs": {
163 | "format": "HTML",
164 | "from": "@variables('article')"
165 | }
166 | },
167 | "Set_variable": {
168 | "runAfter": {
169 | "Create_HTML_table": [
170 | "Succeeded"
171 | ]
172 | },
173 | "type": "SetVariable",
174 | "inputs": {
175 | "name": "article2",
176 | "value": "@body('Create_HTML_table')"
177 | }
178 | }
179 | },
180 | "runAfter": {
181 | "Parse_JSON": [
182 | "Succeeded"
183 | ]
184 | },
185 | "type": "Foreach"
186 | },
187 | "Int_article": {
188 | "runAfter": {
189 | "LookBack_Time": [
190 | "Succeeded"
191 | ]
192 | },
193 | "type": "InitializeVariable",
194 | "inputs": {
195 | "variables": [
196 | {
197 | "name": "article",
198 | "type": "array"
199 | }
200 | ]
201 | }
202 | },
203 | "LookBack_Time": {
204 | "runAfter": {
205 | "EmailTo": [
206 | "Succeeded"
207 | ]
208 | },
209 | "type": "InitializeVariable",
210 | "inputs": {
211 | "variables": [
212 | {
213 | "name": "time",
214 | "type": "string",
215 | "value": "@{addDays(utcNow(),-7)}"
216 | }
217 | ]
218 | }
219 | },
220 | "Parse_JSON": {
221 | "runAfter": {
222 | "get_New_Articles": [
223 | "Succeeded"
224 | ]
225 | },
226 | "type": "ParseJson",
227 | "inputs": {
228 | "content": "@body('get_New_Articles')",
229 | "schema": {
230 | "properties": {
231 | "@@odata.context": {
232 | "type": "string"
233 | },
234 | "@@odata.nextLink": {
235 | "type": "string"
236 | },
237 | "value": {
238 | "items": {
239 | "properties": {
240 | "createdDateTime": {
241 | "type": "string"
242 | },
243 | "id": {
244 | "type": "string"
245 | },
246 | "tags": {
247 | "items": {
248 | "type": "string"
249 | },
250 | "type": "array"
251 | },
252 | "title": {
253 | "type": "string"
254 | }
255 | },
256 | "required": [
257 | "id",
258 | "createdDateTime",
259 | "title",
260 | "tags"
261 | ],
262 | "type": "object"
263 | },
264 | "type": "array"
265 | }
266 | },
267 | "type": "object"
268 | }
269 | }
270 | },
271 | "Secret": {
272 | "runAfter": {
273 | "Tenant": [
274 | "Succeeded"
275 | ]
276 | },
277 | "type": "InitializeVariable",
278 | "inputs": {
279 | "variables": [
280 | {
281 | "name": "secret",
282 | "type": "string",
283 | "value": "@parameters('Secret')"
284 | }
285 | ]
286 | }
287 | },
288 | "Send_an_email_(V2)": {
289 | "runAfter": {
290 | "For_each": [
291 | "Succeeded"
292 | ]
293 | },
294 | "type": "ApiConnection",
295 | "inputs": {
296 | "body": {
297 | "Body": "\u003cp\u003e@{variables('article2')}\u003c/p\u003e",
298 | "Importance": "Normal",
299 | "Subject": "Newly MDTI articles in the last @{variables('Days')} Day.",
300 | "To": "@variables('EmailTo')"
301 | },
302 | "host": {
303 | "connection": {
304 | "name": "@parameters('$connections')['office365']['connectionId']"
305 | }
306 | },
307 | "method": "post",
308 | "path": "/v2/Mail"
309 | }
310 | },
311 | "Tenant": {
312 | "runAfter": {
313 | "Days": [
314 | "Succeeded"
315 | ]
316 | },
317 | "type": "InitializeVariable",
318 | "inputs": {
319 | "variables": [
320 | {
321 | "name": "Tenant",
322 | "type": "string",
323 | "value": "@parameters('Tenant')"
324 | }
325 | ]
326 | }
327 | },
328 | "application": {
329 | "runAfter": {
330 | "Secret": [
331 | "Succeeded"
332 | ]
333 | },
334 | "type": "InitializeVariable",
335 | "inputs": {
336 | "variables": [
337 | {
338 | "name": "application",
339 | "type": "string",
340 | "value": "@parameters('ClientID')"
341 | }
342 | ]
343 | }
344 | },
345 | "get_New_Articles": {
346 | "runAfter": {
347 | "int_article2": [
348 | "Succeeded"
349 | ]
350 | },
351 | "type": "Http",
352 | "inputs": {
353 | "authentication": {
354 | "audience": "https://graph.microsoft.com",
355 | "clientId": "@variables('application')",
356 | "secret": "@variables('secret')",
357 | "tenant": "@variables('Tenant')",
358 | "type": "ActiveDirectoryOAuth"
359 | },
360 | "method": "GET",
361 | "uri": "https://graph.microsoft.com/v1.0/security/threatIntelligence/articles?$sort=createdDateTime\u0026$top=50\u0026$select=title,tags,createdDateTime"
362 | }
363 | },
364 | "int_article2": {
365 | "runAfter": {
366 | "Int_article": [
367 | "Succeeded"
368 | ]
369 | },
370 | "type": "InitializeVariable",
371 | "inputs": {
372 | "variables": [
373 | {
374 | "name": "article2",
375 | "type": "string"
376 | }
377 | ]
378 | }
379 | }
380 | }
381 | },
382 | "parameters": {
383 | "$connections": {
384 | "value": {
385 | "office365": {
386 | "connectionId": "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]",
387 | "connectionName": "[variables('Office365ConnectionName')]",
388 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
389 | }
390 | }
391 | }
392 | }
393 | },
394 | "name": "[parameters('PlaybookName')]",
395 | "type": "Microsoft.Logic/workflows",
396 | "location": "[resourceGroup().location]",
397 | "tags": {
398 | "LogicAppsCategory": "security",
399 | "Source": "MDTI",
400 | "createddate": "04/19/2023",
401 | "owner": "ajaykallur"
402 | },
403 | "identity": {
404 | "type": "SystemAssigned"
405 | },
406 | "apiVersion": "2017-07-01",
407 | "dependsOn": [
408 | "[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]"
409 | ]
410 | },
411 | {
412 | "type": "Microsoft.Web/connections",
413 | "apiVersion": "2016-06-01",
414 | "name": "[variables('Office365ConnectionName')]",
415 | "location": "[resourceGroup().location]",
416 | "kind": "V1",
417 | "properties": {
418 | "displayName": "[variables('Office365ConnectionName')]",
419 | "customParameterValues": {
420 | },
421 | "api": {
422 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Office365')]"
423 | }
424 | }
425 | }
426 | ]
427 | }
428 |
--------------------------------------------------------------------------------
/Postman Collection/MDTI-Postman-Collection.json:
--------------------------------------------------------------------------------
1 | {
2 | "info": {
3 | "_postman_id": "7d6e9ae3-78f8-4aff-8b58-858338fcc204",
4 | "name": "Microsoft Graph (beta) - Threat Intelligence Copy",
5 | "description": "# Microsoft Graph (beta) - Threat Intelligence\n\nThis Postman collection contains example calls for the Microsoft Graph (beta) ThreatIntelligence APs. \n\nThese examples are meant to highlight and demonstrate possible capabilities of the APIs.\n\nThese APIs are in a Public Preview state.",
6 | "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
7 | "_exporter_id": "5909935"
8 | },
9 | "item": [
10 | {
11 | "name": "Host Data",
12 | "item": [
13 | {
14 | "name": "Hostname Data",
15 | "item": [
16 | {
17 | "name": "Host by Hostname",
18 | "event": [
19 | {
20 | "listen": "test",
21 | "script": {
22 | "exec": [
23 | ""
24 | ],
25 | "type": "text/javascript"
26 | }
27 | }
28 | ],
29 | "request": {
30 | "method": "GET",
31 | "header": [],
32 | "url": {
33 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com",
34 | "protocol": "https",
35 | "host": [
36 | "graph",
37 | "microsoft",
38 | "com"
39 | ],
40 | "path": [
41 | "beta",
42 | "security",
43 | "threatIntelligence",
44 | "hosts",
45 | "contoso.com"
46 | ]
47 | }
48 | },
49 | "response": []
50 | },
51 | {
52 | "name": "Reputation for a Hostname",
53 | "event": [
54 | {
55 | "listen": "test",
56 | "script": {
57 | "exec": [
58 | ""
59 | ],
60 | "type": "text/javascript"
61 | }
62 | }
63 | ],
64 | "request": {
65 | "method": "GET",
66 | "header": [],
67 | "url": {
68 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/reputation",
69 | "protocol": "https",
70 | "host": [
71 | "graph",
72 | "microsoft",
73 | "com"
74 | ],
75 | "path": [
76 | "beta",
77 | "security",
78 | "threatIntelligence",
79 | "hosts",
80 | "contoso.com",
81 | "reputation"
82 | ]
83 | }
84 | },
85 | "response": []
86 | },
87 | {
88 | "name": "PassiveDns by Hostname",
89 | "event": [
90 | {
91 | "listen": "test",
92 | "script": {
93 | "exec": [
94 | ""
95 | ],
96 | "type": "text/javascript"
97 | }
98 | }
99 | ],
100 | "request": {
101 | "method": "GET",
102 | "header": [],
103 | "url": {
104 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/passiveDns?$count=true",
105 | "protocol": "https",
106 | "host": [
107 | "graph",
108 | "microsoft",
109 | "com"
110 | ],
111 | "path": [
112 | "beta",
113 | "security",
114 | "threatIntelligence",
115 | "hosts",
116 | "contoso.com",
117 | "passiveDns"
118 | ],
119 | "query": [
120 | {
121 | "key": "$count",
122 | "value": "true"
123 | }
124 | ]
125 | }
126 | },
127 | "response": []
128 | },
129 | {
130 | "name": "passiveDnsReverse by hostname",
131 | "event": [
132 | {
133 | "listen": "test",
134 | "script": {
135 | "exec": [
136 | ""
137 | ],
138 | "type": "text/javascript"
139 | }
140 | }
141 | ],
142 | "request": {
143 | "method": "GET",
144 | "header": [],
145 | "url": {
146 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/passiveDnsReverse?$count=true",
147 | "protocol": "https",
148 | "host": [
149 | "graph",
150 | "microsoft",
151 | "com"
152 | ],
153 | "path": [
154 | "beta",
155 | "security",
156 | "threatIntelligence",
157 | "hosts",
158 | "contoso.com",
159 | "passiveDnsReverse"
160 | ],
161 | "query": [
162 | {
163 | "key": "$count",
164 | "value": "true"
165 | }
166 | ]
167 | }
168 | },
169 | "response": []
170 | },
171 | {
172 | "name": "Components for a Hostname",
173 | "event": [
174 | {
175 | "listen": "test",
176 | "script": {
177 | "exec": [
178 | ""
179 | ],
180 | "type": "text/javascript"
181 | }
182 | }
183 | ],
184 | "request": {
185 | "method": "GET",
186 | "header": [],
187 | "url": {
188 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/components?$count=true",
189 | "protocol": "https",
190 | "host": [
191 | "graph",
192 | "microsoft",
193 | "com"
194 | ],
195 | "path": [
196 | "beta",
197 | "security",
198 | "threatIntelligence",
199 | "hosts",
200 | "contoso.com",
201 | "components"
202 | ],
203 | "query": [
204 | {
205 | "key": "$count",
206 | "value": "true"
207 | }
208 | ]
209 | }
210 | },
211 | "response": []
212 | },
213 | {
214 | "name": "Cookies for a Hostname",
215 | "event": [
216 | {
217 | "listen": "test",
218 | "script": {
219 | "exec": [
220 | ""
221 | ],
222 | "type": "text/javascript"
223 | }
224 | }
225 | ],
226 | "request": {
227 | "method": "GET",
228 | "header": [],
229 | "url": {
230 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/cookies?$count=true",
231 | "protocol": "https",
232 | "host": [
233 | "graph",
234 | "microsoft",
235 | "com"
236 | ],
237 | "path": [
238 | "beta",
239 | "security",
240 | "threatIntelligence",
241 | "hosts",
242 | "contoso.com",
243 | "cookies"
244 | ],
245 | "query": [
246 | {
247 | "key": "$count",
248 | "value": "true"
249 | }
250 | ]
251 | }
252 | },
253 | "response": []
254 | },
255 | {
256 | "name": "Trackers for a Hostname",
257 | "event": [
258 | {
259 | "listen": "test",
260 | "script": {
261 | "exec": [
262 | ""
263 | ],
264 | "type": "text/javascript"
265 | }
266 | }
267 | ],
268 | "request": {
269 | "method": "GET",
270 | "header": [],
271 | "url": {
272 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/contoso.com/trackers?$count=true",
273 | "protocol": "https",
274 | "host": [
275 | "graph",
276 | "microsoft",
277 | "com"
278 | ],
279 | "path": [
280 | "beta",
281 | "security",
282 | "threatIntelligence",
283 | "hosts",
284 | "contoso.com",
285 | "trackers"
286 | ],
287 | "query": [
288 | {
289 | "key": "$count",
290 | "value": "true"
291 | }
292 | ]
293 | }
294 | },
295 | "response": []
296 | }
297 | ]
298 | },
299 | {
300 | "name": "IP Address Data",
301 | "item": [
302 | {
303 | "name": "Host by IP Address",
304 | "event": [
305 | {
306 | "listen": "test",
307 | "script": {
308 | "exec": [
309 | ""
310 | ],
311 | "type": "text/javascript"
312 | }
313 | }
314 | ],
315 | "request": {
316 | "method": "GET",
317 | "header": [],
318 | "url": {
319 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33",
320 | "protocol": "https",
321 | "host": [
322 | "graph",
323 | "microsoft",
324 | "com"
325 | ],
326 | "path": [
327 | "beta",
328 | "security",
329 | "threatIntelligence",
330 | "hosts",
331 | "20.103.85.33"
332 | ]
333 | }
334 | },
335 | "response": []
336 | },
337 | {
338 | "name": "Reputation for an IP Address",
339 | "event": [
340 | {
341 | "listen": "test",
342 | "script": {
343 | "exec": [
344 | ""
345 | ],
346 | "type": "text/javascript"
347 | }
348 | }
349 | ],
350 | "request": {
351 | "method": "GET",
352 | "header": [],
353 | "url": {
354 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33/reputation",
355 | "protocol": "https",
356 | "host": [
357 | "graph",
358 | "microsoft",
359 | "com"
360 | ],
361 | "path": [
362 | "beta",
363 | "security",
364 | "threatIntelligence",
365 | "hosts",
366 | "20.103.85.33",
367 | "reputation"
368 | ]
369 | }
370 | },
371 | "response": []
372 | },
373 | {
374 | "name": "PassiveDns by IP Address",
375 | "event": [
376 | {
377 | "listen": "test",
378 | "script": {
379 | "exec": [
380 | ""
381 | ],
382 | "type": "text/javascript"
383 | }
384 | }
385 | ],
386 | "request": {
387 | "method": "GET",
388 | "header": [],
389 | "url": {
390 | "raw": "https://canary.graph.microsoft.com/testprodbetathreatIntelligenceAPIs/security/threatIntelligence/hosts('104.156.149.53')/pdns?$count=true",
391 | "protocol": "https",
392 | "host": [
393 | "canary",
394 | "graph",
395 | "microsoft",
396 | "com"
397 | ],
398 | "path": [
399 | "testprodbetathreatIntelligenceAPIs",
400 | "security",
401 | "threatIntelligence",
402 | "hosts('104.156.149.53')",
403 | "pdns"
404 | ],
405 | "query": [
406 | {
407 | "key": "$count",
408 | "value": "true"
409 | }
410 | ]
411 | }
412 | },
413 | "response": []
414 | },
415 | {
416 | "name": "passiveDnsReverse by IP Address",
417 | "event": [
418 | {
419 | "listen": "test",
420 | "script": {
421 | "exec": [
422 | ""
423 | ],
424 | "type": "text/javascript"
425 | }
426 | }
427 | ],
428 | "request": {
429 | "method": "GET",
430 | "header": [],
431 | "url": {
432 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33/passiveDnsReverse?$count=true",
433 | "protocol": "https",
434 | "host": [
435 | "graph",
436 | "microsoft",
437 | "com"
438 | ],
439 | "path": [
440 | "beta",
441 | "security",
442 | "threatIntelligence",
443 | "hosts",
444 | "20.103.85.33",
445 | "passiveDnsReverse"
446 | ],
447 | "query": [
448 | {
449 | "key": "$count",
450 | "value": "true"
451 | }
452 | ]
453 | }
454 | },
455 | "response": []
456 | },
457 | {
458 | "name": "Components for an IP Address",
459 | "event": [
460 | {
461 | "listen": "test",
462 | "script": {
463 | "exec": [
464 | ""
465 | ],
466 | "type": "text/javascript"
467 | }
468 | }
469 | ],
470 | "request": {
471 | "method": "GET",
472 | "header": [],
473 | "url": {
474 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33/components?$count=true",
475 | "protocol": "https",
476 | "host": [
477 | "graph",
478 | "microsoft",
479 | "com"
480 | ],
481 | "path": [
482 | "beta",
483 | "security",
484 | "threatIntelligence",
485 | "hosts",
486 | "20.103.85.33",
487 | "components"
488 | ],
489 | "query": [
490 | {
491 | "key": "$count",
492 | "value": "true"
493 | }
494 | ]
495 | }
496 | },
497 | "response": []
498 | },
499 | {
500 | "name": "Cookies for an IP Address",
501 | "event": [
502 | {
503 | "listen": "test",
504 | "script": {
505 | "exec": [
506 | ""
507 | ],
508 | "type": "text/javascript"
509 | }
510 | }
511 | ],
512 | "request": {
513 | "method": "GET",
514 | "header": [],
515 | "url": {
516 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33/cookies?$count=true",
517 | "protocol": "https",
518 | "host": [
519 | "graph",
520 | "microsoft",
521 | "com"
522 | ],
523 | "path": [
524 | "beta",
525 | "security",
526 | "threatIntelligence",
527 | "hosts",
528 | "20.103.85.33",
529 | "cookies"
530 | ],
531 | "query": [
532 | {
533 | "key": "$count",
534 | "value": "true"
535 | }
536 | ]
537 | }
538 | },
539 | "response": []
540 | },
541 | {
542 | "name": "Trackers for an IP Address",
543 | "event": [
544 | {
545 | "listen": "test",
546 | "script": {
547 | "exec": [
548 | ""
549 | ],
550 | "type": "text/javascript"
551 | }
552 | }
553 | ],
554 | "request": {
555 | "method": "GET",
556 | "header": [],
557 | "url": {
558 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/20.103.85.33/trackers?$count=true",
559 | "protocol": "https",
560 | "host": [
561 | "graph",
562 | "microsoft",
563 | "com"
564 | ],
565 | "path": [
566 | "beta",
567 | "security",
568 | "threatIntelligence",
569 | "hosts",
570 | "20.103.85.33",
571 | "trackers"
572 | ],
573 | "query": [
574 | {
575 | "key": "$count",
576 | "value": "true"
577 | }
578 | ]
579 | }
580 | },
581 | "response": []
582 | }
583 | ]
584 | }
585 | ],
586 | "description": "# Host Data\n\nThese APIs demonstrate supported capabilities to retrieve Threat Intelligence information about hosts (either by hostname or IP Address)."
587 | },
588 | {
589 | "name": "Articles",
590 | "item": [
591 | {
592 | "name": "List Articles",
593 | "event": [
594 | {
595 | "listen": "test",
596 | "script": {
597 | "exec": [
598 | ""
599 | ],
600 | "type": "text/javascript"
601 | }
602 | }
603 | ],
604 | "request": {
605 | "method": "GET",
606 | "header": [],
607 | "url": {
608 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/articles?$count=true",
609 | "protocol": "https",
610 | "host": [
611 | "graph",
612 | "microsoft",
613 | "com"
614 | ],
615 | "path": [
616 | "beta",
617 | "security",
618 | "threatIntelligence",
619 | "articles"
620 | ],
621 | "query": [
622 | {
623 | "key": "$count",
624 | "value": "true"
625 | }
626 | ]
627 | }
628 | },
629 | "response": []
630 | },
631 | {
632 | "name": "Single Article",
633 | "event": [
634 | {
635 | "listen": "test",
636 | "script": {
637 | "exec": [
638 | ""
639 | ],
640 | "type": "text/javascript"
641 | }
642 | }
643 | ],
644 | "request": {
645 | "method": "GET",
646 | "header": [],
647 | "url": {
648 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/articles/e0c5c210",
649 | "protocol": "https",
650 | "host": [
651 | "graph",
652 | "microsoft",
653 | "com"
654 | ],
655 | "path": [
656 | "beta",
657 | "security",
658 | "threatIntelligence",
659 | "articles",
660 | "e0c5c210"
661 | ]
662 | }
663 | },
664 | "response": []
665 | },
666 | {
667 | "name": "Single Article - Indicators",
668 | "event": [
669 | {
670 | "listen": "test",
671 | "script": {
672 | "exec": [
673 | ""
674 | ],
675 | "type": "text/javascript"
676 | }
677 | }
678 | ],
679 | "request": {
680 | "method": "GET",
681 | "header": [],
682 | "url": {
683 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/articles/e0c5c210/indicators?$count=true",
684 | "protocol": "https",
685 | "host": [
686 | "graph",
687 | "microsoft",
688 | "com"
689 | ],
690 | "path": [
691 | "beta",
692 | "security",
693 | "threatIntelligence",
694 | "articles",
695 | "e0c5c210",
696 | "indicators"
697 | ],
698 | "query": [
699 | {
700 | "key": "$count",
701 | "value": "true"
702 | }
703 | ]
704 | }
705 | },
706 | "response": []
707 | }
708 | ]
709 | },
710 | {
711 | "name": "Intel Profiles",
712 | "item": [
713 | {
714 | "name": "List Intel Profiles",
715 | "event": [
716 | {
717 | "listen": "test",
718 | "script": {
719 | "exec": [
720 | ""
721 | ],
722 | "type": "text/javascript"
723 | }
724 | }
725 | ],
726 | "request": {
727 | "method": "GET",
728 | "header": [],
729 | "url": {
730 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles?$count=true",
731 | "protocol": "https",
732 | "host": [
733 | "graph",
734 | "microsoft",
735 | "com"
736 | ],
737 | "path": [
738 | "beta",
739 | "security",
740 | "threatIntelligence",
741 | "intelProfiles"
742 | ],
743 | "query": [
744 | {
745 | "key": "$count",
746 | "value": "true"
747 | }
748 | ]
749 | }
750 | },
751 | "response": []
752 | },
753 | {
754 | "name": "Single Intel Profile",
755 | "event": [
756 | {
757 | "listen": "test",
758 | "script": {
759 | "exec": [
760 | ""
761 | ],
762 | "type": "text/javascript"
763 | }
764 | }
765 | ],
766 | "request": {
767 | "method": "GET",
768 | "header": [],
769 | "url": {
770 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80",
771 | "protocol": "https",
772 | "host": [
773 | "graph",
774 | "microsoft",
775 | "com"
776 | ],
777 | "path": [
778 | "beta",
779 | "security",
780 | "threatIntelligence",
781 | "intelProfiles",
782 | "9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80"
783 | ]
784 | }
785 | },
786 | "response": []
787 | },
788 | {
789 | "name": "Single Intel Profile - Indicators",
790 | "event": [
791 | {
792 | "listen": "test",
793 | "script": {
794 | "exec": [
795 | ""
796 | ],
797 | "type": "text/javascript"
798 | }
799 | }
800 | ],
801 | "request": {
802 | "method": "GET",
803 | "header": [],
804 | "url": {
805 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80/indicators",
806 | "protocol": "https",
807 | "host": [
808 | "graph",
809 | "microsoft",
810 | "com"
811 | ],
812 | "path": [
813 | "beta",
814 | "security",
815 | "threatIntelligence",
816 | "intelProfiles",
817 | "9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80",
818 | "indicators"
819 | ]
820 | }
821 | },
822 | "response": []
823 | }
824 | ]
825 | },
826 | {
827 | "name": "Vulnerabilities",
828 | "item": [
829 | {
830 | "name": "Get Vulnerability",
831 | "event": [
832 | {
833 | "listen": "test",
834 | "script": {
835 | "exec": [
836 | ""
837 | ],
838 | "type": "text/javascript"
839 | }
840 | }
841 | ],
842 | "request": {
843 | "method": "GET",
844 | "header": [],
845 | "url": {
846 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/CVE-2021-44228",
847 | "protocol": "https",
848 | "host": [
849 | "graph",
850 | "microsoft",
851 | "com"
852 | ],
853 | "path": [
854 | "beta",
855 | "security",
856 | "threatIntelligence",
857 | "vulnerabilities",
858 | "CVE-2021-44228"
859 | ]
860 | }
861 | },
862 | "response": []
863 | },
864 | {
865 | "name": "Get Vulnerability - Related Components",
866 | "event": [
867 | {
868 | "listen": "test",
869 | "script": {
870 | "exec": [
871 | ""
872 | ],
873 | "type": "text/javascript"
874 | }
875 | }
876 | ],
877 | "request": {
878 | "method": "GET",
879 | "header": [],
880 | "url": {
881 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/CVE-2021-44228/components?$count=true",
882 | "protocol": "https",
883 | "host": [
884 | "graph",
885 | "microsoft",
886 | "com"
887 | ],
888 | "path": [
889 | "beta",
890 | "security",
891 | "threatIntelligence",
892 | "vulnerabilities",
893 | "CVE-2021-44228",
894 | "components"
895 | ],
896 | "query": [
897 | {
898 | "key": "$count",
899 | "value": "true"
900 | }
901 | ]
902 | }
903 | },
904 | "response": []
905 | },
906 | {
907 | "name": "Get Vulnerability - Related Articles",
908 | "event": [
909 | {
910 | "listen": "test",
911 | "script": {
912 | "exec": [
913 | ""
914 | ],
915 | "type": "text/javascript"
916 | }
917 | }
918 | ],
919 | "request": {
920 | "method": "GET",
921 | "header": [],
922 | "url": {
923 | "raw": "https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/CVE-2021-44228/articles?$count=true",
924 | "protocol": "https",
925 | "host": [
926 | "graph",
927 | "microsoft",
928 | "com"
929 | ],
930 | "path": [
931 | "beta",
932 | "security",
933 | "threatIntelligence",
934 | "vulnerabilities",
935 | "CVE-2021-44228",
936 | "articles"
937 | ],
938 | "query": [
939 | {
940 | "key": "$count",
941 | "value": "true"
942 | }
943 | ]
944 | }
945 | },
946 | "response": []
947 | }
948 | ]
949 | }
950 | ],
951 | "auth": {
952 | "type": "oauth2",
953 | "oauth2": [
954 | {
955 | "key": "grant_type",
956 | "value": "client_credentials",
957 | "type": "string"
958 | },
959 | {
960 | "key": "scope",
961 | "value": "https://graph.microsoft.com/.default",
962 | "type": "string"
963 | },
964 | {
965 | "key": "tokenName",
966 | "value": "app 1",
967 | "type": "string"
968 | },
969 | {
970 | "key": "challengeAlgorithm",
971 | "value": "S256",
972 | "type": "string"
973 | },
974 | {
975 | "key": "useBrowser",
976 | "value": true,
977 | "type": "boolean"
978 | },
979 | {
980 | "key": "state",
981 | "value": "abv",
982 | "type": "string"
983 | },
984 | {
985 | "key": "redirect_uri",
986 | "value": "https://localhost:8090",
987 | "type": "string"
988 | },
989 | {
990 | "key": "clientSecret",
991 | "value": "{{clientSecret}}",
992 | "type": "string"
993 | },
994 | {
995 | "key": "clientId",
996 | "value": "{{clientId}}",
997 | "type": "string"
998 | },
999 | {
1000 | "key": "authUrl",
1001 | "value": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/authorize",
1002 | "type": "string"
1003 | },
1004 | {
1005 | "key": "addTokenTo",
1006 | "value": "header",
1007 | "type": "string"
1008 | },
1009 | {
1010 | "key": "client_authentication",
1011 | "value": "body",
1012 | "type": "string"
1013 | },
1014 | {
1015 | "key": "accessTokenUrl",
1016 | "value": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token",
1017 | "type": "string"
1018 | }
1019 | ]
1020 | },
1021 | "event": [
1022 | {
1023 | "listen": "prerequest",
1024 | "script": {
1025 | "type": "text/javascript",
1026 | "exec": [
1027 | ""
1028 | ]
1029 | }
1030 | },
1031 | {
1032 | "listen": "test",
1033 | "script": {
1034 | "type": "text/javascript",
1035 | "exec": [
1036 | ""
1037 | ]
1038 | }
1039 | }
1040 | ],
1041 | "variable": [
1042 | {
1043 | "key": "tenantId",
1044 | "value": "",
1045 | "type": "default"
1046 | },
1047 | {
1048 | "key": "clientId",
1049 | "value": "",
1050 | "type": "default"
1051 | },
1052 | {
1053 | "key": "clientSecret",
1054 | "value": "",
1055 | "type": "default"
1056 | }
1057 | ]
1058 | }
1059 |
--------------------------------------------------------------------------------
/MDTIPlaybooks/MDTI-Data-HostInfo/azuredeploy.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "metadata": {
5 | "comments": "Showcase Host Data for an entity and reputational score",
6 | "title": "MDTI-Data-HostInfo",
7 | "description": "This playbook will use both the Host and repuational endpoint to showcase the information of entities identified in Microsoft Sentinel",
8 | "prerequisites": "This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com).",
9 | "postDeployment": [
10 | "After deploying the playbook, you must authorize the connections leveraged.",
11 | "1. Visit the playbook resource.",
12 | "2. Under 'Development Tools' (located on the left), click 'API Connections'.",
13 | "3. Ensure each connection has been authorized.",
14 | "**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
15 | ],
16 | "prerequisitesDeployTemplateFile": "",
17 | "lastUpdateTime": "",
18 | "entities": [
19 | ],
20 | "tags": [
21 | ],
22 | "support": {
23 | "tier": "Microsoft",
24 | "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
25 | },
26 | "author": {
27 | "name": "Sean Wasonga, Microsoft"
28 | }
29 | },
30 | "parameters": {
31 | "PlaybookName": {
32 | "defaultValue": "MDTI-Data-HostInfo",
33 | "type": "string"
34 | }
35 | },
36 | "variables": {
37 | "MicrosoftSentinelConnectionName": "[concat('azursentinel-', parameters('PlaybookName'))]"
38 | },
39 | "resources": [
40 | {
41 | "type": "Microsoft.Web/connections",
42 | "apiVersion": "2016-06-01",
43 | "name": "[variables('MicrosoftSentinelConnectionName')]",
44 | "location": "[resourceGroup().location]",
45 | "properties": {
46 | "api": {
47 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
48 | }
49 | }
50 | },{
51 | "type": "Microsoft.Logic/workflows",
52 | "apiVersion": "2017-07-01",
53 | "name": "[parameters('PlaybookName')]",
54 | "location": "[resourceGroup().location]",
55 | "tags": {
56 | "LogicAppsCategory": "security",
57 | "Source": "MDTI"
58 | },
59 | "dependsOn": [
60 | "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]"
61 | ],
62 | "properties": {
63 | "provisioningState": "Succeeded",
64 | "state": "Enabled",
65 | "definition": {
66 | "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
67 | "contentVersion": "1.0.0.0",
68 | "parameters": {
69 | "$connections": {
70 | "defaultValue": {
71 | },
72 | "type": "Object"
73 | }
74 | },
75 | "triggers": {
76 | "When_Azure_Sentinel_incident_creation_rule_was_triggered": {
77 | "type": "ApiConnectionWebhook",
78 | "inputs": {
79 | "body": {
80 | "callback_url": "@{listCallbackUrl()}"
81 | },
82 | "host": {
83 | "connection": {
84 | "name": "@parameters('$connections')['azuresentinel']['connectionId']"
85 | }
86 | },
87 | "path": "/incident-creation"
88 | }
89 | }
90 | },
91 | "actions": {
92 | "Add_comment_to_incident_(V3)": {
93 | "runAfter": {
94 | "Create_HTML_table_3": [
95 | "Succeeded"
96 | ]
97 | },
98 | "type": "ApiConnection",
99 | "inputs": {
100 | "body": {
101 | "incidentArmId": "@triggerBody()?['object']?['id']",
102 | "message": "\u003cp\u003e\u003cstrong\u003eMDTI Host (IP Address ) Information\u003cbr\u003e\n\u003c/strong\u003e@{body('Create_HTML_table_3')}\u003c/p\u003e"
103 | },
104 | "host": {
105 | "connection": {
106 | "name": "@parameters('$connections')['azuresentinel']['connectionId']"
107 | }
108 | },
109 | "method": "post",
110 | "path": "/Incidents/Comment"
111 | }
112 | },
113 | "Add_comment_to_incident_(V3)_2": {
114 | "runAfter": {
115 | "Create_HTML_table": [
116 | "Succeeded"
117 | ]
118 | },
119 | "type": "ApiConnection",
120 | "inputs": {
121 | "body": {
122 | "incidentArmId": "@triggerBody()?['object']?['id']",
123 | "message": "\u003cp\u003e\u003cstrong\u003eMDTI Host \u0026nbsp;Information\u003c/strong\u003e\u003cbr\u003e\n@{body('Create_HTML_table')}\u003c/p\u003e"
124 | },
125 | "host": {
126 | "connection": {
127 | "name": "@parameters('$connections')['azuresentinel']['connectionId']"
128 | }
129 | },
130 | "method": "post",
131 | "path": "/Incidents/Comment"
132 | }
133 | },
134 | "Create_HTML_table": {
135 | "runAfter": {
136 | "For_each_Host": [
137 | "Succeeded"
138 | ]
139 | },
140 | "type": "Table",
141 | "inputs": {
142 | "format": "HTML",
143 | "from": "@variables('result_output_host')"
144 | }
145 | },
146 | "Create_HTML_table_3": {
147 | "runAfter": {
148 | "For_each_IP_Address": [
149 | "Succeeded"
150 | ]
151 | },
152 | "type": "Table",
153 | "inputs": {
154 | "format": "HTML",
155 | "from": "@variables('result_output_ip')"
156 | }
157 | },
158 | "Entities_-_Get_Hosts": {
159 | "runAfter": {
160 | "MDTI-Base": [
161 | "Succeeded"
162 | ]
163 | },
164 | "type": "ApiConnection",
165 | "inputs": {
166 | "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
167 | "host": {
168 | "connection": {
169 | "name": "@parameters('$connections')['azuresentinel']['connectionId']"
170 | }
171 | },
172 | "method": "post",
173 | "path": "/entities/host"
174 | }
175 | },
176 | "Entities_-_Get_IPs": {
177 | "runAfter": {
178 | "MDTI-Base": [
179 | "Succeeded"
180 | ]
181 | },
182 | "type": "ApiConnection",
183 | "inputs": {
184 | "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
185 | "host": {
186 | "connection": {
187 | "name": "@parameters('$connections')['azuresentinel']['connectionId']"
188 | }
189 | },
190 | "method": "post",
191 | "path": "/entities/ip"
192 | }
193 | },
194 | "For_each_Host": {
195 | "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
196 | "actions": {
197 | "Append_to_array_variable": {
198 | "runAfter": {
199 | "Compose": [
200 | "Succeeded"
201 | ]
202 | },
203 | "type": "AppendToArrayVariable",
204 | "inputs": {
205 | "name": "result_output_host",
206 | "value": "@outputs('Compose')"
207 | }
208 | },
209 | "Compose": {
210 | "runAfter": {
211 | "Parse_JSON": [
212 | "Succeeded"
213 | ]
214 | },
215 | "type": "Compose",
216 | "inputs": {
217 | "Classification": "@{body('Parse_JSON')?['classification']}",
218 | "First Seen": "@{body('Parse_Data_from_Get_command_into_JSON')?['firstSeenDateTime']}",
219 | "ID": "@{body('Parse_Data_from_Get_command_into_JSON')?['id']}",
220 | "Registar": "@{body('Parse_Data_from_Get_command_into_JSON')?['registrar']}",
221 | "Registrant": "@{body('Parse_Data_from_Get_command_into_JSON')?['registrant']}",
222 | "Reputation Score": "@{body('Parse_JSON')?['score']}",
223 | "last Seen": "@{body('Parse_Data_from_Get_command_into_JSON')?['lastSeenDateTime']}"
224 | }
225 | },
226 | "Get_Host_information_from_MDTI_": {
227 | "runAfter": {
228 | },
229 | "type": "Http",
230 | "inputs": {
231 | "authentication": {
232 | "audience": "@body('MDTI-Base')?['resource']",
233 | "clientId": "@body('MDTI-Base')?['clientId']",
234 | "secret": "@body('MDTI-Base')?['clientSecret']",
235 | "tenant": "@body('MDTI-Base')?['tenantId']",
236 | "type": "ActiveDirectoryOAuth"
237 | },
238 | "headers": {
239 | "Content-Type": "application/json"
240 | },
241 | "method": "GET",
242 | "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')"
243 | }
244 | },
245 | "Get_Reputation_information_from_MDTI_Host": {
246 | "runAfter": {
247 | "Parse_Data_from_Get_command_into_JSON": [
248 | "Succeeded"
249 | ]
250 | },
251 | "type": "Http",
252 | "inputs": {
253 | "authentication": {
254 | "audience": "@body('MDTI-Base')?['resource']",
255 | "clientId": "@body('MDTI-Base')?['clientId']",
256 | "secret": "@body('MDTI-Base')?['clientSecret']",
257 | "tenant": "@body('MDTI-Base')?['tenantId']",
258 | "type": "ActiveDirectoryOAuth"
259 | },
260 | "method": "GET",
261 | "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/reputation"
262 | }
263 | },
264 | "Parse_Data_from_Get_command_into_JSON": {
265 | "runAfter": {
266 | "Get_Host_information_from_MDTI_": [
267 | "Succeeded"
268 | ]
269 | },
270 | "type": "ParseJson",
271 | "inputs": {
272 | "content": "@body('Get_Host_information_from_MDTI_')",
273 | "schema": {
274 | "properties": {
275 | "@@odata.context": {
276 | "type": "string"
277 | },
278 | "@@odata.type": {
279 | "type": "string"
280 | },
281 | "firstSeenDateTime": {},
282 | "id": {
283 | "type": "string"
284 | },
285 | "lastSeenDateTime": {},
286 | "registrant": {},
287 | "registrar": {}
288 | },
289 | "type": "object"
290 | }
291 | }
292 | },
293 | "Parse_JSON": {
294 | "runAfter": {
295 | "Get_Reputation_information_from_MDTI_Host": [
296 | "Succeeded"
297 | ]
298 | },
299 | "type": "ParseJson",
300 | "inputs": {
301 | "content": "@body('Get_Reputation_information_from_MDTI_Host')",
302 | "schema": {
303 | "properties": {
304 | "@@odata.context": {
305 | "type": "string"
306 | },
307 | "classification": {
308 | "type": "string"
309 | },
310 | "id": {
311 | "type": "string"
312 | },
313 | "rules": {
314 | "type": "array"
315 | },
316 | "score": {
317 | "type": "integer"
318 | }
319 | },
320 | "type": "object"
321 | }
322 | }
323 | }
324 | },
325 | "runAfter": {
326 | "Init_Result_Host": [
327 | "Succeeded"
328 | ]
329 | },
330 | "type": "Foreach"
331 | },
332 | "For_each_IP_Address": {
333 | "foreach": "@body('Entities_-_Get_IPs')?['IPs']",
334 | "actions": {
335 | "Append_to_array_variable_2": {
336 | "runAfter": {
337 | "Compose_summary_of_Host_and_Reputational_data": [
338 | "Succeeded"
339 | ]
340 | },
341 | "type": "AppendToArrayVariable",
342 | "inputs": {
343 | "name": "result_output_ip",
344 | "value": "@outputs('Compose_summary_of_Host_and_Reputational_data')"
345 | }
346 | },
347 | "Compose_summary_of_Host_and_Reputational_data": {
348 | "runAfter": {
349 | "Parse_JSON_from_MDTI_Reputation_Score": [
350 | "Succeeded"
351 | ]
352 | },
353 | "type": "Compose",
354 | "inputs": {
355 | " Reputation Score": "@{body('Parse_JSON_from_MDTI_Reputation_Score')?['score']}",
356 | "Classification": "@{body('Parse_JSON_from_MDTI_Reputation_Score')?['classification']}",
357 | "Country": "@{body('Parse_Data_from_Get_command_into_JSON_IP_address')?['countryOrRegion']}",
358 | "First Seen": "@{body('Parse_Data_from_Get_command_into_JSON_IP_address')?['firstSeenDateTime']}",
359 | "IP Address": "@{body('Parse_Data_from_Get_command_into_JSON_IP_address')?['id']}",
360 | "Organization": "@{body('Parse_Data_from_Get_command_into_JSON_IP_address')?['autonomousSystem']?['organization']}",
361 | "last Seen": "@{body('Parse_Data_from_Get_command_into_JSON_IP_address')?['lastSeenDateTime']}"
362 | }
363 | },
364 | "Get_IP_information_from_MDTI": {
365 | "runAfter": {
366 | },
367 | "type": "Http",
368 | "inputs": {
369 | "authentication": {
370 | "audience": "@body('MDTI-Base')?['resource']",
371 | "clientId": "@body('MDTI-Base')?['clientId']",
372 | "secret": "@body('MDTI-Base')?['clientSecret']",
373 | "tenant": "@body('MDTI-Base')?['tenantId']",
374 | "type": "ActiveDirectoryOAuth"
375 | },
376 | "headers": {
377 | "Content-Type": "application/json"
378 | },
379 | "method": "GET",
380 | "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')"
381 | }
382 | },
383 | "Get_Reputation_information_from_MDTI_Ip_address": {
384 | "runAfter": {
385 | "Parse_Data_from_Get_command_into_JSON_IP_address": [
386 | "Succeeded"
387 | ]
388 | },
389 | "type": "Http",
390 | "inputs": {
391 | "authentication": {
392 | "audience": "@body('MDTI-Base')?['resource']",
393 | "clientId": "@body('MDTI-Base')?['clientId']",
394 | "secret": "@body('MDTI-Base')?['clientSecret']",
395 | "tenant": "@body('MDTI-Base')?['tenantId']",
396 | "type": "ActiveDirectoryOAuth"
397 | },
398 | "method": "GET",
399 | "uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/reputation"
400 | }
401 | },
402 | "Parse_Data_from_Get_command_into_JSON_IP_address": {
403 | "runAfter": {
404 | "Get_IP_information_from_MDTI": [
405 | "Succeeded"
406 | ]
407 | },
408 | "type": "ParseJson",
409 | "inputs": {
410 | "content": "@body('Get_IP_information_from_MDTI')",
411 | "schema": {
412 | "properties": {
413 | "@@odata.context": {
414 | "type": "string"
415 | },
416 | "@@odata.type": {
417 | "type": "string"
418 | },
419 | "autonomousSystem": {
420 | "properties": {
421 | "hostname": {
422 | "type": "string"
423 | },
424 | "hostnumber": {
425 | "type": "integer"
426 | },
427 | "hostvalue": {
428 | "type": "string"
429 | },
430 | "organization": {
431 | "type": "string"
432 | }
433 | },
434 | "type": "object"
435 | },
436 | "countryOrRegion": {
437 | "type": "string"
438 | },
439 | "firstSeenDateTime": {
440 | "type": "string"
441 | },
442 | "hostingProvider": {
443 | },
444 | "id": {
445 | "type": "string"
446 | },
447 | "lastSeenDateTime": {
448 | "type": "string"
449 | },
450 | "netblock": {
451 | "type": "string"
452 | }
453 | },
454 | "type": "object"
455 | }
456 | }
457 | },
458 | "Parse_JSON_from_MDTI_Reputation_Score": {
459 | "runAfter": {
460 | "Get_Reputation_information_from_MDTI_Ip_address": [
461 | "Succeeded"
462 | ]
463 | },
464 | "type": "ParseJson",
465 | "inputs": {
466 | "content": "@body('Get_Reputation_information_from_MDTI_Ip_address')",
467 | "schema": {
468 | "properties": {
469 | "@@odata.context": {
470 | "type": "string"
471 | },
472 | "classification": {
473 | "type": "string"
474 | },
475 | "id": {
476 | "type": "string"
477 | },
478 | "rules": {
479 | "items": {
480 | "properties": {
481 | "description": {
482 | "type": "string"
483 | },
484 | "name": {
485 | "type": "string"
486 | },
487 | "relatedDetailsUrl": {
488 | },
489 | "severity": {
490 | "type": "string"
491 | }
492 | },
493 | "required": [
494 | "name",
495 | "description",
496 | "severity",
497 | "relatedDetailsUrl"
498 | ],
499 | "type": "object"
500 | },
501 | "type": "array"
502 | },
503 | "score": {
504 | "type": "integer"
505 | }
506 | },
507 | "type": "object"
508 | }
509 | }
510 | }
511 | },
512 | "runAfter": {
513 | "Init_Result_IP": [
514 | "Succeeded"
515 | ]
516 | },
517 | "type": "Foreach"
518 | },
519 | "Init_Result_Host": {
520 | "runAfter": {
521 | "Entities_-_Get_Hosts": [
522 | "Succeeded"
523 | ]
524 | },
525 | "type": "InitializeVariable",
526 | "inputs": {
527 | "variables": [
528 | {
529 | "name": "result_output_host",
530 | "type": "array"
531 | }
532 | ]
533 | }
534 | },
535 | "Init_Result_IP": {
536 | "runAfter": {
537 | "Entities_-_Get_IPs": [
538 | "Succeeded"
539 | ]
540 | },
541 | "type": "InitializeVariable",
542 | "inputs": {
543 | "variables": [
544 | {
545 | "name": "result_output_ip",
546 | "type": "array"
547 | }
548 | ]
549 | }
550 | },
551 | "MDTI-Base": {
552 | "runAfter": {
553 | },
554 | "type": "Workflow",
555 | "inputs": {
556 | "host": {
557 | "triggerName": "manual",
558 | "workflow": {
559 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
560 | }
561 | }
562 | }
563 | }
564 | }
565 | },
566 | "parameters": {
567 | "$connections": {
568 | "value": {
569 | "azuresentinel": {
570 | "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
571 | "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
572 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
573 | }
574 | }
575 | }
576 | }
577 | }
578 | }
579 | ]
580 | }
--------------------------------------------------------------------------------