Microsoft Defender

Description

This connector replaces the “microsoftsentinel” connector (https://learn.microsoft.com/en-us/azure/sentinel/move-to-defender).

Microsoft Defender provides a unified cybersecurity solution that integrates endpoint protection, cloud security, identity protection, email security, threat intelligence, exposure management, and SIEM into a centralized platform powered by a modern data lake.

This connector allows querying Microsoft Defender XDR logs using KQL (Kusto Query Language).

Queries have to return a “Computer” column, corresponding to either a native “Computer” field, or a transformation.

If a transformation is required, it has to be part of the “query” field (not in the “columns” field). - You can define “Computer” by copying the value from another field: | project Computer = DstDvcHostname - You can also truncate the computer name to remove the domain: | project Computer = tostring(split(Computer, “.”)[0])

Queries can use the {{StartTimeISO}} and {{EndTimeISO}} placeholders to define the time range for the query. For example, you can use the following syntax to filter events from the last 14 days:

let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;

Requirements

  • You’ll need to install the msal package: pip install msal

  • The AdvancedHunting.Read.All permission is required for the APP ID.

Limitations

The current implementation of the Microsoft Sentinel plugin does not support synchronizing rules. SYNC_RULES has to be set to False. It does not get threats either.

Settings

TENANT_ID

  • Type: string

  • Description: Tenant ID

  • Example:

TENANT_ID = "a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6"

CLIENT_ID

  • Type: string

  • Description: Client ID of the application registered in Azure Active Directory. This is used for authentication when connecting to Microsoft Sentinel.

  • Example:

CLIENT_ID = "b1c2d3e4-f5a6-7b8c-9d0e-f1a2b3c4d5e6"

CLIENT_SECRET

  • Type: string

  • Description: Password associated with the client ID. This is used for authentication when connecting to Microsoft Sentinel.

  • Example:

CLIENT_SECRET = "s3cr3t-k3y-v4lue"

SYNC_RULES

  • Type: boolean

  • Description: Should the plugin synchronize rules? Currently, this feature is not supported, and this setting must be set to False.

  • Possible values: True, False

  • Example:

SYNC_RULES = False

QUERY_ERROR_INFO

  • Type: string

  • Description: Regular expression to identify if the query error message is an informational message (INFO) instead of an ERROR. This can be used to filter out non-critical errors in the logs. If empty, all messages will be considered errors.

  • Example:

QUERY_ERROR_INFO = ".*(INFO|DEBUG).*"