diff --git a/Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml b/Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml new file mode 100644 index 00000000..5dae028c --- /dev/null +++ b/Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml @@ -0,0 +1,40 @@ +Descriptor: + Name: IOCQueryBuilder + DisplayName: IOC Query Builder + Description: Skills for formatting a list of IOCs so they can be used by SOC analysts in KQL queries + +SkillGroups: + - Format: GPT + Skills: + - Name: GenerateIOCListForKQL + DisplayName: Generate IOC List For KQL + Description: Formats a list of IOCs so they can be used by SOC analysts in KQL queries + ExamplePrompt: + - 'IOC KQL Query' + - 'IOC List' + - 'Build a KQL query from the following list of IOCs' + - 'Format the following list of IOCs' + - 'Create a dynamic array from this list of IOCs' + - 'Format the following list of IP addresses' + - 'Create a dynamic array from this list of IP addresses' + - 'Format the following list of domain names' + - 'Create a dynamic array from this list of domain names' + - 'Format the following list of URLs' + - 'Create a dynamic array from this list of URLs' + - 'Format the following list of hashes' + - 'Create a dynamic array from this list of hashes' + Inputs: + - Name: iocs + Description: The unformatted list of IOCs + Required: true + Settings: + ModelName: gpt-4-32k-v0613 + Template: |- + When a security operations analyst recieves a list of indicators of compromise (IOCs), they will search their SIEM tool to identify if a system may have been infiltrated by a cyber threat. The list of IOCs will need to be formatted in such as way that it can be included in a KQL query. + + Some examples of this formatting in KQL: + 1. microsoft.com securitycopilot.microsoft.com security.microsoft.com --> ['microsoft.com','securitycopilot.microsoft.com','security.microsoft.com'] + 2. 1.1.1.1 8.8.8.8 --> ['1.1.1.1','8.8.8.8'] + + Format any IOCs in the following text and return the new text: + {{iocs}} diff --git a/Plugins/Community Based Plugins/IOC Query Builder/Readme.md b/Plugins/Community Based Plugins/IOC Query Builder/Readme.md new file mode 100644 index 00000000..36abd579 --- /dev/null +++ b/Plugins/Community Based Plugins/IOC Query Builder/Readme.md @@ -0,0 +1,32 @@ +# Copilot for Security Plugin: IOC Query Builder + +### **This GPT plugin enables a SOC analyst to input a list of indicators of compromise (IOCs) and format them so they can be used in a KQL query in Sentinel and/or Defender XDR.** + +### Pre-requisites + +- [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file IOC_Query_Builder.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **GenerateIOCListForKQL**: Formats a list of IOCs so they can be used by SOC analysts in KQL queries + +#### Example Prompts + +- Format the following list of IOCs: +- Create a dynamic array from this list of IP addresses: +- Format the following list of hashes: + +#### Example Usage + +1. Use the FetchURL skill to gather a list of IOCs from a threat intelligence report webpage. +2. Use the GenerateIOCListForKQL skill to format the list of IOCs for use in a KQL query. diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml new file mode 100644 index 00000000..c3df8582 --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml @@ -0,0 +1,208 @@ +Descriptor: + Name: MDEAttackSurfaceReduction + DisplayName: MDE Attack Surface Reduction (ASR) + Description: Skills to query MDE device tables to get insights about ASR rules + +SkillGroups: + - Format: KQL + Skills: + - Name: GetASREventCountWithinTimeframe + DisplayName: Get ASR Event Count Within Timeframe + Description: Fetches a count of ASR events within the specified timeframe + ExamplePrompt: + - 'Attack Surface Reduction Event Count' + - 'ASR Event Count' + - 'Get a count of the ASR events from the past 24 hours' + - 'Get a count of the ASR events from the past 7 days' + - 'Fetch a count of the Attack Surface Reduction events from the past 24 hours' + - 'Fetch a count of the Attack Surface Reduction events from the past 7 days' + - 'List a count of the ASR events from the past 24 hours' + - 'List a count of the ASR events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: true + - Name: unit + Description: number of hours or days + Required: true + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType startswith "ASR" + | project ActionType + | summarize count() by ActionType + - Format: KQL + Skills: + - Name: GetASREventsForDevice + DisplayName: Get ASR Events From Device + Description: Fetches a count of ASR events for a specified device name or device ID + ExamplePrompt: + - 'Attack Surface Reduction Device Events' + - 'ASR Device Events' + - 'Get a count of the ASR events seen on device DEVICENAME in the past 24 hours' + - 'Get a count of the ASR events seen on device DEVICENAME in the past 7 days' + - 'Fetch a count of the ASR events seen on device DEVICENAME in the past 24 hours' + - 'Fetch a count of the ASR events seen on device DEVICENAME in the past 7 days' + - 'List the count of ASR events seen on device DEVICENAME in the past 24 hours' + - 'List the count of ASR events seen on device DEVICENAME in the past 7 days' + Inputs: + - Name: devicename + Description: device name or id + Required: true + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + let Device = "{{devicename}}"; + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where DeviceName =~ Device or DeviceId =~ Device + | where ActionType startswith "ASR" + | project ActionType + | summarize count() by ActionType + - Format: KQL + Skills: + - Name: GetASREventsForFile + DisplayName: Get ASR Events For File + Description: Fetches a count of ASR events for a specified file name + ExamplePrompt: + - 'Attack Surface Reduction File Events' + - 'ASR File Events' + - 'Get a count of the ASR events for file FILENAME.EXE in the past 24 hours' + - 'Get a count of the ASR events for file FILENAME.EXE in the past 7 days' + - 'Fetch a count of the ASR events for file FILENAME.EXE in the past 24 hours' + - 'Fetch a count of the ASR events for file FILENAME.EXE in the past 7 days' + - 'List the count of ASR events for file FILENAME.EXE in the past 24 hours' + - 'List the count of ASR events for file FILENAME.EXE in the past 7 days' + Inputs: + - Name: filename + Description: file name + Required: true + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType startswith "ASR" + | where FileName contains "{{filename}}" + | project ActionType, FileName + | summarize count() by ActionType, FileName + - Format: KQL + Skills: + - Name: GetASRBlockedEvents + DisplayName: Get ASR Blocked Events + Description: Fetches a count of the top 25 ASR blocked events + ExamplePrompt: + - 'Attack Surface Reduction Blocked Events' + - 'ASR Blocked Events' + - 'Get a count of the blocked ASR events from the past 24 hours' + - 'Get a count of the blocked ASR events from the past 7 days' + - 'Fetch a count of the blocked Attack Surface Reduction events from the past 24 hours' + - 'Fetch a count of the blocked Attack Surface Reduction events from the past 7 days' + - 'List the count of the blocked ASR events from the past 24 hours' + - 'List the count of the blocked ASR events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: h + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 24 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType startswith "ASR" and ActionType endswith "Blocked" + | project ActionType, FileName + | summarize count() by ActionType, FileName + | top 25 by count_ + - Format: KQL + Skills: + - Name: GetASRAuditedEvents + DisplayName: Get ASR Audited Events + Description: Fetches a count of the top 25 ASR audited events + ExamplePrompt: + - 'Attack Surface Reduction Audited Events' + - 'ASR Audited Events' + - 'Get a count of the audited ASR events from the past 24 hours' + - 'Get a count of the audited ASR events from the past 7 days' + - 'Fetch a count of the audited Attack Surface Reduction events from the past 24 hours' + - 'Fetch a count of the audited Attack Surface Reduction events from the past 7 days' + - 'List the count of the audited ASR events from the past 24 hours' + - 'List the count of the audited ASR events from the past 7 days' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: h + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 24 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType startswith "ASR" and ActionType endswith "Audited" + | project ActionType, FileName + | summarize count() by ActionType, FileName + | top 25 by count_ + - Format: KQL + Skills: + - Name: GetASREventsByCategory + DisplayName: Get ASR Events By Category + Description: Fetches a count of ASR events grouped by category and day + ExamplePrompt: + - 'Attack Surface Reduction Event Category' + - 'ASR Event Category' + - 'ASR Email Events' + - 'ASR Script Events' + - 'ASR WMI Events' + - 'ASR Office App Events' + - 'ASR 3rd Party App Events' + - 'ASR Windows Credentials Events' + - 'ASR Polymorphic Threats Events' + - 'Get a count of the Attack Surface Reduction events grouped by category and day from the last 30 days' + - 'Get a count of the Attack Surface Reduction events grouped by category and day from the past 48 hours' + - 'Fetch a count of the ASR events grouped by category and day from the last 30 days' + - 'Fetch a count of the ASR events grouped by category and day from the past 48 hours' + - 'List the ASR events grouped by category and day from the last 30 days' + - 'List the ASR events grouped by category and day from the past 48 hours' + Inputs: + - Name: hourorday + Description: hours (h) or days (d) + Required: false + DefaultValue: d + - Name: unit + Description: number of hours or days + Required: false + DefaultValue: 7 + Settings: + Target: Defender + Template: |- + DeviceEvents + | where Timestamp >= ago({{unit}}{{hourorday}}) + | where ActionType startswith "asr" + | summarize Email = countif(ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")), Script = countif(ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")), WMI = countif(ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")), OfficeApp = countif(ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")), 3rdPartyApp = countif(ActionType == "AsrAdobeReaderChildProcessBlocked"), WindowsCredentials = countif(ActionType == "AsrLsassCredentialTheftBlocked"), PolymorphicThreats = countif(ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by bin(Timestamp, 1d) + | sort by Timestamp diff --git a/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md new file mode 100644 index 00000000..b4cc43db --- /dev/null +++ b/Plugins/Community Based Plugins/Microsoft Defender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md @@ -0,0 +1,44 @@ +# Copilot for Security Plugin: MDE Attack Surface Reduction (ASR) + +### **This KQL plugin enables SOC analysts and engineers to get insights about ASR rules in their environment based on the Defender for Endpoint DeviceEvents table.** + +### Pre-requisites + +- [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot) +- [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins) +- [Attack Surface Reduction rules enabled](https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction#configure-attack-surface-reduction-capabilities) + +### Instructions + +#### Upload the Custom Plugin + +1. Obtain the file MDE_Attack_Surface_Reduction.yaml from this directory. +2. Upload the custom plugin + +### Plugin Utilisation + +#### Skills + +- **GetASREventCountWithinTimeframe**: Fetches a count of ASR events within the specified timeframe +- **GetASREventsForDevice**: Fetches a count of ASR events for a specified device name or device ID +- **GetASREventsForFile**: Fetches a count of ASR events for a specified file name +- **GetASRBlockedEvents**: Fetches a count of the top 25 ASR blocked events +- **GetASRAuditedEvents**: Fetches a count of the top 25 ASR audited events +- **GetASREventsByCategory**: Fetches a count of ASR events grouped by category and day + +#### Example Prompts + +- Get a count of the ASR events from the past 24 hours +- Fetch a count of the Attack Surface Reduction events seen on device DEVICENAME in the past 7 days +- List the count of ASR events for file FILENAME.EXE in the past 24 hours +- Get a count of the blocked ASR events from the past 7 days +- Fetch a count of the audited Attack Surface Reduction events from the past 24 hours +- List the ASR events grouped by category and day from the past 48 hours +- Get a count of the Attack Surface Reduction events grouped by category and day from the last 30 days + +#### Example Usage + +1. A desktop engineer is drafting a report for senior leadership about the organisation’s attack surface. +2. The GetASREventCountWithinTimeframe skill is used to get a summary of the ASR rules that were triggered over the past 30 days. +3. The Microsoft Defender Threat Intelligence (MDTI) plugin is used to get context about the tactics, techniques and procedures (TTPs) that the ASR rules will protect against. +4. The Generic plugin is used to summarise the previous prompts and provide recommendations about which ASR audit rules should be switched to blocked.