Azure · alfonso-greenbrook · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
diff --git a/Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml b/Plugins/Community Based Plugins/IOC Query Builder/IOC_Query_Builder.yaml
@@ -0,0 +1,40 @@
+Descriptor:
+  Name: IOCQueryBuilder
+  DisplayName: IOC Query Builder
+  Description: Skills for formatting a list of IOCs so they can be used by SOC analysts in KQL queries
+
+SkillGroups:
+  - Format: GPT
+    Skills:
+      - Name: GenerateIOCListForKQL
+        DisplayName: Generate IOC List For KQL
+        Description: Formats a list of IOCs so they can be used by SOC analysts in KQL queries
+        ExamplePrompt:
+        - 'IOC KQL Query'
+        - 'IOC List'
+        - 'Build a KQL query from the following list of IOCs'
+        - 'Format the following list of IOCs'
+        - 'Create a dynamic array from this list of IOCs'
+        - 'Format the following list of IP addresses'
+        - 'Create a dynamic array from this list of IP addresses'
+        - 'Format the following list of domain names'
+        - 'Create a dynamic array from this list of domain names'
+        - 'Format the following list of URLs'
+        - 'Create a dynamic array from this list of URLs'
+        - 'Format the following list of hashes'
+        - 'Create a dynamic array from this list of hashes'
+        Inputs:
+          - Name: iocs
+            Description: The unformatted list of IOCs
+            Required: true
+        Settings:
+          ModelName: gpt-4-32k-v0613
+          Template: |-
+            When a security operations analyst recieves a list of indicators of compromise (IOCs), they will search their SIEM tool to identify if a system may have been infiltrated by a cyber threat. The list of IOCs will need to be formatted in such as way that it can be included in a KQL query.
+
+            Some examples of this formatting in KQL:
+            1. microsoft.com securitycopilot.microsoft.com security.microsoft.com --> ['microsoft.com','securitycopilot.microsoft.com','security.microsoft.com']
+            2. 1.1.1.1 8.8.8.8 --> ['1.1.1.1','8.8.8.8']
+
+            Format any IOCs in the following text and return the new text:
+            {{iocs}}
diff --git a/Plugins/Community Based Plugins/IOC Query Builder/Readme.md b/Plugins/Community Based Plugins/IOC Query Builder/Readme.md
@@ -0,0 +1,32 @@
+# Copilot for Security Plugin: IOC Query Builder
+
+### **This GPT plugin enables a SOC analyst to input a list of indicators of compromise (IOCs) and format them so they can be used in a KQL query in Sentinel and/or Defender XDR.**
+
+### Pre-requisites
+
+-   [Copilot for Security Enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file IOC_Query_Builder.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **GenerateIOCListForKQL**: Formats a list of IOCs so they can be used by SOC analysts in KQL queries
+
+#### Example Prompts
+
+- Format the following list of IOCs:
+- Create a dynamic array from this list of IP addresses:
+- Format the following list of hashes:
+
+#### Example Usage
+
+1. Use the FetchURL skill to gather a list of IOCs from a threat intelligence report webpage.
+2. Use the GenerateIOCListForKQL skill to format the list of IOCs for use in a KQL query.
diff --git a/...tom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml b/...tom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/MDE_Attack_Surface_Reduction.yaml
@@ -0,0 +1,208 @@
+Descriptor:
+  Name: MDEAttackSurfaceReduction
+  DisplayName: MDE Attack Surface Reduction (ASR)
+  Description: Skills to query MDE device tables to get insights about ASR rules
+
+SkillGroups:
+  - Format: KQL
+    Skills:
+      - Name: GetASREventCountWithinTimeframe
+        DisplayName: Get ASR Event Count Within Timeframe
+        Description: Fetches a count of ASR events within the specified timeframe
+        ExamplePrompt:
+        - 'Attack Surface Reduction Event Count'
+        - 'ASR Event Count'
+        - 'Get a count of the ASR events from the past 24 hours'
+        - 'Get a count of the ASR events from the past 7 days'
+        - 'Fetch a count of the Attack Surface Reduction events from the past 24 hours'
+        - 'Fetch a count of the Attack Surface Reduction events from the past 7 days'
+        - 'List a count of the ASR events from the past 24 hours'
+        - 'List a count of the ASR events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: true
+          - Name: unit
+            Description: number of hours or days
+            Required: true
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType startswith "ASR"
+            | project ActionType
+            | summarize count() by ActionType
+  - Format: KQL
+    Skills:
+      - Name: GetASREventsForDevice
+        DisplayName: Get ASR Events From Device
+        Description: Fetches a count of ASR events for a specified device name or device ID
+        ExamplePrompt:
+        - 'Attack Surface Reduction Device Events'
+        - 'ASR Device Events'
+        - 'Get a count of the ASR events seen on device DEVICENAME in the past 24 hours'
+        - 'Get a count of the ASR events seen on device DEVICENAME in the past 7 days'
+        - 'Fetch a count of the ASR events seen on device DEVICENAME in the past 24 hours'
+        - 'Fetch a count of the ASR events seen on device DEVICENAME in the past 7 days'
+        - 'List the count of ASR events seen on device DEVICENAME in the past 24 hours'
+        - 'List the count of ASR events seen on device DEVICENAME in the past 7 days'
+        Inputs:
+          - Name: devicename
+            Description: device name or id
+            Required: true
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            let Device = "{{devicename}}";
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where DeviceName =~ Device or DeviceId =~ Device
+            | where ActionType startswith "ASR"
+            | project ActionType
+            | summarize count() by ActionType
+  - Format: KQL
+    Skills:
+      - Name: GetASREventsForFile
+        DisplayName: Get ASR Events For File
+        Description: Fetches a count of ASR events for a specified file name
+        ExamplePrompt:
+        - 'Attack Surface Reduction File Events'
+        - 'ASR File Events'
+        - 'Get a count of the ASR events for file FILENAME.EXE in the past 24 hours'
+        - 'Get a count of the ASR events for file FILENAME.EXE in the past 7 days'
+        - 'Fetch a count of the ASR events for file FILENAME.EXE in the past 24 hours'
+        - 'Fetch a count of the ASR events for file FILENAME.EXE in the past 7 days'
+        - 'List the count of ASR events for file FILENAME.EXE in the past 24 hours'
+        - 'List the count of ASR events for file FILENAME.EXE in the past 7 days'
+        Inputs:
+          - Name: filename
+            Description: file name
+            Required: true
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType startswith "ASR"
+            | where FileName contains "{{filename}}"
+            | project ActionType, FileName
+            | summarize count() by ActionType, FileName
+  - Format: KQL
+    Skills:
+      - Name: GetASRBlockedEvents
+        DisplayName: Get ASR Blocked Events
+        Description: Fetches a count of the top 25 ASR blocked events
+        ExamplePrompt:
+        - 'Attack Surface Reduction Blocked Events'
+        - 'ASR Blocked Events'
+        - 'Get a count of the blocked ASR events from the past 24 hours'
+        - 'Get a count of the blocked ASR events from the past 7 days'
+        - 'Fetch a count of the blocked Attack Surface Reduction events from the past 24 hours'
+        - 'Fetch a count of the blocked Attack Surface Reduction events from the past 7 days'
+        - 'List the count of the blocked ASR events from the past 24 hours'
+        - 'List the count of the blocked ASR events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: h
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 24
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType startswith "ASR" and ActionType endswith "Blocked"
+            | project ActionType, FileName
+            | summarize count() by ActionType, FileName
+            | top 25 by count_
+  - Format: KQL
+    Skills:
+      - Name: GetASRAuditedEvents
+        DisplayName: Get ASR Audited Events
+        Description: Fetches a count of the top 25 ASR audited events
+        ExamplePrompt:
+        - 'Attack Surface Reduction Audited Events'
+        - 'ASR Audited Events'
+        - 'Get a count of the audited ASR events from the past 24 hours'
+        - 'Get a count of the audited ASR events from the past 7 days'
+        - 'Fetch a count of the audited Attack Surface Reduction events from the past 24 hours'
+        - 'Fetch a count of the audited Attack Surface Reduction events from the past 7 days'
+        - 'List the count of the audited ASR events from the past 24 hours'
+        - 'List the count of the audited ASR events from the past 7 days'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: h
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 24
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType startswith "ASR" and ActionType endswith "Audited"
+            | project ActionType, FileName
+            | summarize count() by ActionType, FileName
+            | top 25 by count_
+  - Format: KQL
+    Skills:
+      - Name: GetASREventsByCategory
+        DisplayName: Get ASR Events By Category
+        Description: Fetches a count of ASR events grouped by category and day
+        ExamplePrompt:
+        - 'Attack Surface Reduction Event Category'
+        - 'ASR Event Category'
+        - 'ASR Email Events'
+        - 'ASR Script Events'
+        - 'ASR WMI Events'
+        - 'ASR Office App Events'
+        - 'ASR 3rd Party App Events'
+        - 'ASR Windows Credentials Events'
+        - 'ASR Polymorphic Threats Events'
+        - 'Get a count of the Attack Surface Reduction events grouped by category and day from the last 30 days'
+        - 'Get a count of the Attack Surface Reduction events grouped by category and day from the past 48 hours'
+        - 'Fetch a count of the ASR events grouped by category and day from the last 30 days'
+        - 'Fetch a count of the ASR events grouped by category and day from the past 48 hours'
+        - 'List the ASR events grouped by category and day from the last 30 days'
+        - 'List the ASR events grouped by category and day from the past 48 hours'
+        Inputs:
+          - Name: hourorday
+            Description: hours (h) or days (d)
+            Required: false
+            DefaultValue: d
+          - Name: unit
+            Description: number of hours or days
+            Required: false
+            DefaultValue: 7
+        Settings:
+          Target: Defender
+          Template: |-
+            DeviceEvents
+            | where Timestamp >= ago({{unit}}{{hourorday}})
+            | where ActionType startswith "asr"
+            | summarize Email = countif(ActionType in ("AsrExecutableEmailContentBlocked", "AsrOfficeCommAppChildProcessBlocked")), Script = countif(ActionType in ("AsrObfuscatedScriptBlocked", "AsrScriptExecutableDownloadBlocked")), WMI = countif(ActionType in ("AsrPersistenceThroughWmiBlocked", "AsrPsexecWmiChildProcessBlocked")), OfficeApp = countif(ActionType in ("AsrOfficeChildProcessBlocked", "AsrOfficeMacroWin32ApiCallsBlocked", "AsrExecutableOfficeContentBlocked", "AsrOfficeProcessInjectionBlocked")), 3rdPartyApp = countif(ActionType == "AsrAdobeReaderChildProcessBlocked"), WindowsCredentials = countif(ActionType == "AsrLsassCredentialTheftBlocked"), PolymorphicThreats = countif(ActionType in ("AsrUntrustedExecutableBlocked", "AsrUntrustedUsbProcessBlocked", "AsrRansomwareBlocked", "AsrVulnerableSignedDriverBlocked")) by bin(Timestamp, 1d)
+            | sort by Timestamp
diff --git a/...fender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md b/...fender XDR Custom Plugin Scenarios/MDE Attack Surface Reduction (ASR)/Readme.md
@@ -0,0 +1,44 @@
+# Copilot for Security Plugin: MDE Attack Surface Reduction (ASR)
+
+### **This KQL plugin enables SOC analysts and engineers to get insights about ASR rules in their environment based on the Defender for Endpoint DeviceEvents table.**
+
+### Pre-requisites
+
+-   [Copilot for Security enabled](https://learn.microsoft.com/en-us/security-copilot/get-started-security-copilot#onboarding-to-microsoft-security-copilot)
+-   [Access to upload custom plugins](https://learn.microsoft.com/en-us/security-copilot/manage-plugins?tabs=securitycopilotplugin#managing-custom-plugins)
+-   [Attack Surface Reduction rules enabled](https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction#configure-attack-surface-reduction-capabilities)
+
+### Instructions
+
+#### Upload the Custom Plugin
+
+1.  Obtain the file MDE_Attack_Surface_Reduction.yaml from this directory.
+2.  Upload the custom plugin
+
+### Plugin Utilisation
+
+#### Skills
+
+- **GetASREventCountWithinTimeframe**: Fetches a count of ASR events within the specified timeframe
+- **GetASREventsForDevice**: Fetches a count of ASR events for a specified device name or device ID
+- **GetASREventsForFile**: Fetches a count of ASR events for a specified file name
+- **GetASRBlockedEvents**: Fetches a count of the top 25 ASR blocked events
+- **GetASRAuditedEvents**: Fetches a count of the top 25 ASR audited events
+- **GetASREventsByCategory**: Fetches a count of ASR events grouped by category and day
+
+#### Example Prompts
+
+- Get a count of the ASR events from the past 24 hours
+- Fetch a count of the Attack Surface Reduction events seen on device DEVICENAME in the past 7 days
+- List the count of ASR events for file FILENAME.EXE in the past 24 hours
+- Get a count of the blocked ASR events from the past 7 days
+- Fetch a count of the audited Attack Surface Reduction events from the past 24 hours
+- List the ASR events grouped by category and day from the past 48 hours
+- Get a count of the Attack Surface Reduction events grouped by category and day from the last 30 days
+
+#### Example Usage
+
+1. A desktop engineer is drafting a report for senior leadership about the organisation’s attack surface.
+2. The GetASREventCountWithinTimeframe skill is used to get a summary of the ASR rules that were triggered over the past 30 days.
+3. The Microsoft Defender Threat Intelligence (MDTI) plugin is used to get context about the tactics, techniques and procedures (TTPs) that the ASR rules will protect against.
+4. The Generic plugin is used to summarise the previous prompts and provide recommendations about which ASR audit rules should be switched to blocked.