diff --git a/plugins/MicrosoftDefender/v1/configValidation.json b/plugins/MicrosoftDefender/v1/configValidation.json new file mode 100644 index 0000000..45cb26a --- /dev/null +++ b/plugins/MicrosoftDefender/v1/configValidation.json @@ -0,0 +1,13 @@ +{ + "steps": [ + { + "displayName": "API Access", + "dataStream": { + "name": "validation" + }, + "success": "Successfully connected to Endpoint", + "error": "Cannot access the Endpoint API - check your client ID, secret and permissions.", + "required": true + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/custom_types.json b/plugins/MicrosoftDefender/v1/custom_types.json new file mode 100644 index 0000000..e7aa71f --- /dev/null +++ b/plugins/MicrosoftDefender/v1/custom_types.json @@ -0,0 +1,9 @@ +[ + { + "name": "device", + "sourceType": "device", + "icon": "server", + "singular": "Device", + "plural": "Devices" + } +] \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json b/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json new file mode 100644 index 0000000..dbef7fe --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json @@ -0,0 +1,76 @@ +{ + "name": "Vulnerabilities", + "displayName": "Vulnerabilities", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}})", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "name": "CveGuide", + "displayName": "Cve Id", + "valueExpression": "{{ $['CveId'] ? `https://msrc.microsoft.com/update-guide/vulnerability/${$['CveId']}` : '' }}", + "formatExpression": "{{ $['CveId'] }}", + "shape": "url", + "computed": true + }, + { + "name": "CveId", + "displayName": "CVE Id", + "shape": "string", + "visible": false, + "role": "label" + }, + { + "name": "VulnerabilitySeverityLevel", + "displayName": "Severity", + "shape": "string", + "role": "label" + }, + { + "name": "SoftwareName", + "displayName": "Affected Software", + "shape": "string", + "role": "label" + }, + { + "name": "CveTags", + "displayName": "Tags", + "shape": "string", + "role": "label" + }, + { + "sourceId": "DeviceId", + "name": "DeviceName", + "shape": "string", + "visible": false, + "role": "label", + "sourceType": "device" + } + ], + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": false, + "providesPluginDiagnostics": true, + "objectLimit": 1, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json b/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json new file mode 100644 index 0000000..65ef643 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json @@ -0,0 +1,51 @@ +{ + "name": "advancedHuntingQuery", + "displayName": "Advanced Hunting Query", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "{{query}}", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "tags": [], + "ui": [ + { + "name": "query", + "language": "kusto", + "label": "Query", + "type": "code", + "validation": { + "required": true + } + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/alerts.json b/plugins/MicrosoftDefender/v1/dataStreams/alerts.json new file mode 100644 index 0000000..9b6fd0c --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/alerts.json @@ -0,0 +1,217 @@ +{ + "name": "alerts", + "displayName": "Alerts", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "nextUrl", + "pageSize": { + "realm": { + "value": "none", + "label": "none" + } + }, + "in": { + "realm": { + "value": "payload", + "label": "payload" + }, + "path": "@odata.nextLink" + } + }, + "expandInnerObjects": true, + "endpointPath": "alerts_v2", + "pathToData": "value", + "getArgs": [ + { + "key": "$filter", + "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}" + } + ], + "headers": [] + }, + "metadata": [ + { + "name": "title", + "displayName": "Alert Name", + "shape": "string", + "role": "label" + }, + { + "name": "systemTags", + "displayName": "System Tags", + "shape": "string", + "role": "label" + }, + { + "name": "severity", + "displayName": "Severity", + "shape": "string", + "role": "label" + }, + { + "name": "status", + "displayName": "Status", + "shape": "string", + "role": "label" + }, + { + "name": "category", + "displayName": "Category", + "shape": "string", + "role": "label" + }, + { + "name": "detectionSource", + "displayName": "Detection Source", + "shape": "string", + "role": "label" + }, + { + "name": "firstActivityDateTime", + "displayName": "First Activity", + "shape": "date", + "role": "label" + }, + { + "name": "lastActivityDateTime", + "displayName": "Last Activity", + "shape": "date", + "role": "label" + }, + { + "name": "classification", + "displayName": "Classification", + "shape": "string", + "role": "label" + }, + { + "name": "determination", + "displayName": "Determination", + "shape": "string", + "role": "label" + }, + { + "name": "assignedTo", + "displayName": "Assigned To", + "shape": "string", + "role": "label" + } + ], + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "manualConfigApply": true, + "providesPluginDiagnostics": true, + "tags": [], + "ui": [ + { + "name": "severity", + "label": "Severity", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "low", + "label": "Low" + }, + { + "value": "medium", + "label": "Medium" + }, + { + "value": "high", + "label": "High" + }, + { + "value": "informational", + "label": "Informational" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + } + ] + }, + "isClearable": true + }, + { + "name": "status", + "label": "Status", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "newAlert", + "label": "New" + }, + { + "value": "inProgress", + "label": "In Progress" + }, + { + "value": "resolved", + "label": "Resolved" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + } + ] + }, + "isClearable": true + }, + { + "tileEditorStep": ["Timeframe"], + "isMulti": false, + "help": "Select the column to apply the timeframe", + "data": { + "source": "fixed", + "values": [ + { + "value": "createdDateTime", + "label": "Creation Time" + }, + { + "value": "lastActivityDateTime", + "label": "Last Activity Time" + }, + { + "value": "lastUpdateDateTime", + "label": "Last Update Time" + } + ] + }, + "defaultValue": "createdDateTime", + "name": "timeframeCol", + "label": "Timeframe Column", + "type": "autocomplete", + "isClearable": false + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/devices.json b/plugins/MicrosoftDefender/v1/dataStreams/devices.json new file mode 100644 index 0000000..700b970 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/devices.json @@ -0,0 +1,140 @@ +{ + "name": "devices", + "displayName": "Devices", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceInfo | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | summarize arg_max(Timestamp, *) by DeviceId" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "sourceId": "DeviceId", + "name": "DeviceName", + "displayName": "Device Name", + "shape": "string", + "role": "label", + "sourceType": "device" + }, + { + "name": "PublicIP", + "displayName": "IP", + "shape": "string", + "role": "label" + }, + { + "name": "AssetValue", + "displayName": "Criticality", + "shape": "string", + "role": "label" + }, + { + "name": "DeviceCategory", + "displayName": "Device Category", + "shape": "string", + "role": "label" + }, + { + "name": "DeviceType", + "displayName": "Device Type", + "shape": "string", + "role": "label" + }, + { + "name": "DnsDomain", + "displayName": "Domain", + "shape": "string", + "role": "label" + }, + { + "name": "AadDeviceId", + "displayName": "Device AAD Id", + "shape": "string", + "role": "label" + }, + { + "name": "OSPlatform", + "displayName": "OS Platform", + "shape": "string", + "role": "label" + }, + { + "name": "OSVersion", + "displayName": "OS Version", + "shape": "string", + "role": "label" + }, + { + "name": "SensorHealthState", + "displayName": "Sensor Health State", + "shape": "string", + "role": "label" + }, + { + "name": "OnboardingStatus", + "displayName": "Onboarding Status", + "shape": "string", + "role": "label" + }, + { + "name": "Timestamp", + "displayName": "Last Device Update", + "shape": "string", + "role": "label" + }, + { + "name": "DeviceManualTags", + "displayName": "Device Manual Tags", + "shape": "string", + "role": "label" + }, + { + "name": "DeviceDynamicTags", + "displayName": "Device Dynamic Tags", + "shape": "string", + "role": "label" + }, + { + "shape": [ + "state", + { + "map": { + "unmonitored": [], + "unknown": [], + "error": [ + "High" + ], + "warning": [ + "Medium" + ], + "success": [ + "Low" + ] + } + } + ], + "name": "ExposureLevel" + } + ], + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": false, + "providesPluginDiagnostics": true, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/incidents.json b/plugins/MicrosoftDefender/v1/dataStreams/incidents.json new file mode 100644 index 0000000..a852693 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/incidents.json @@ -0,0 +1,220 @@ +{ + "name": "incidents", + "displayName": "Incidents", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "nextUrl", + "pageSize": { + "realm": { + "value": "none", + "label": "None" + } + }, + "in": { + "realm": { + "value": "payload", + "label": "Body" + }, + "path": "@odata.nextLink" + } + }, + "expandInnerObjects": true, + "endpointPath": "incidents", + "pathToData": "value", + "getArgs": [ + { + "key": "$filter", + "value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}" + } + ], + "headers": [] + }, + "metadata": [ + { + "name": "displayName", + "displayName": "Incident name", + "shape": "string", + "role": "label" + }, + { + "name": "id", + "displayName": "Incident id", + "shape": "string", + "role": "label" + }, + { + "name": "priorityScore", + "displayName": "Priority score", + "shape": "number" + }, + { + "name": "customTags", + "displayName": "Tags", + "shape": "string", + "role": "label" + }, + { + "name": "severity", + "displayName": "Severity", + "shape": "string", + "role": "label" + }, + { + "name": "lastUpdateDateTime", + "displayName": "Last update time", + "shape": "date", + "role": "label" + }, + { + "name": "status", + "displayName": "Status", + "shape": "string", + "role": "label" + }, + { + "name": "assignedTo", + "displayName": "Assigned to", + "shape": "string", + "role": "label" + }, + { + "name": "classification", + "displayName": "Classification", + "shape": "string", + "role": "label" + }, + { + "name": "determination", + "displayName": "Determination", + "shape": "string", + "role": "label" + }, + { + "name": "createdDateTime", + "displayName": "Creation time", + "shape": "date", + "role": "label" + } + ], + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "tags": [], + "ui": [ + { + "name": "severity", + "label": "Severity", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "low", + "label": "Low" + }, + { + "value": "medium", + "label": "Medium" + }, + { + "value": "high", + "label": "High" + }, + { + "value": "unknown", + "label": "Unknown" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + }, + { + "value": "new", + "label": "New" + }, + { + "value": "informational", + "label": "Informational" + } + ] + }, + "isClearable": true + }, + { + "name": "status", + "label": "Status", + "type": "autocomplete", + "data": { + "source": "fixed", + "values": [ + { + "value": "active", + "label": "Active" + }, + { + "value": "resolved", + "label": "Resolved" + }, + { + "value": "inProgress", + "label": "In Progress" + }, + { + "value": "redirected", + "label": "Redirected" + }, + { + "value": "unknownFutureValue", + "label": "Unknown Future Value" + }, + { + "value": "awaitingAction", + "label": "Awaiting Action" + } + ] + }, + "isClearable": true + }, + { + "tileEditorStep": ["Timeframe"], + "isMulti": false, + "help": "Select the column to apply the timeframe", + "data": { + "source": "fixed", + "values": [ + { + "value": "createdDateTime", + "label": "Creation Time" + }, + { + "value": "lastUpdateDateTime", + "label": "Last Update Time" + } + ] + }, + "defaultValue": "createdDateTime", + "name": "timeframeCol", + "label": "Timeframe Column", + "type": "autocomplete", + "isClearable": false + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json b/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json new file mode 100644 index 0000000..4cb0ffc --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/listDevices.json @@ -0,0 +1,29 @@ +{ + "name": "listDevices", + "displayName": "List Devices", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "providesPluginDiagnostics": true, + "manualConfigApply": true, + "timeframes": false, + "tags": [], + "visibility": { + "type": "hidden" + } +} diff --git a/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json b/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json new file mode 100644 index 0000000..3d22805 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json @@ -0,0 +1,116 @@ +{ + "name": "recommendations", + "displayName": "Recommendations", + "baseDataSourceName": "httpRequestScoped", + "config": { + "httpMethod": "post", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "runHuntingQuery", + "postBody": { + "Query": "DeviceTvmSecureConfigurationAssessment | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId | project DeviceId, DeviceName, Timestamp, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationImpact, RiskDescription, RemediationOptions, IsApplicable, IsCompliant, Tags", + "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}" + }, + "pathToData": "results", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "name": "RiskDescription", + "displayName": "Risk description", + "shape": "string", + "role": "label" + }, + { + "sourceId": "DeviceId", + "name": "DeviceName", + "displayName": "Device Name", + "shape": "string", + "role": "label", + "sourceType": "device" + }, + { + "name": "Timestamp", + "displayName": "Timestamp", + "shape": "date", + "role": "label" + }, + { + "name": "ConfigurationName", + "displayName": "Configuration Name", + "shape": "string", + "role": "label" + }, + { + "name": "ConfigurationImpact", + "displayName": "Configuration Impact", + "shape": "number", + "role": "value" + }, + { + "name": "count", + "displayName": "Count", + "shape": "number", + "role": "value" + }, + { + "name": "ConfigurationCategory", + "displayName": "Configuration Category", + "shape": "string", + "role": "label" + }, + { + "name": "ConfigurationSubcategory", + "displayName": "Configuration Subcategory", + "shape": "string", + "role": "label" + }, + { + "name": "RemediationOptions", + "displayName": "Remediation Options", + "shape": "string", + "role": "label" + }, + { + "name": "IsApplicable", + "displayName": "Is Applicable", + "shape": "number", + "role": "label" + }, + { + "name": "IsCompliant", + "displayName": "Is Compliant", + "shape": "number", + "role": "label" + } + ], + "matches": { + "sourceType": { + "type": "equals", + "value": "device" + } + }, + "timeframes": [ + "last1hour", + "last12hours", + "last24hours", + "last7days", + "last30days", + "thisMonth", + "thisQuarter", + "thisYear", + "lastMonth", + "lastQuarter", + "lastYear" + ], + "supportsNoneTimeframe": true, + "providesPluginDiagnostics": true, + "objectLimit": 1, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json b/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json new file mode 100644 index 0000000..653ed53 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/secureScoreHistory.json @@ -0,0 +1,65 @@ +{ + "name": "secureScoreHistory", + "displayName": "Secure Score History", + "description": "Retrieves the current tenant's Secure Score data from the past 90 days", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "offset", + "pageSize": { + "realm": { + "value": "queryArg", + "label": "Query parameter" + }, + "path": "$top", + "value": "100" + }, + "offset": { + "rowCountIn": { + "realm": { + "value": "payloadArraySize", + "label": "Body array size" + }, + "path": "value" + }, + "mode": "row", + "base": "0" + }, + "out": { + "realm": { + "value": "queryArg", + "label": "queryArg" + }, + "path": "$skip" + } + }, + "expandInnerObjects": false, + "endpointPath": "secureScores", + "pathToData": "value", + "getArgs": [], + "headers": [] + }, + "metadata": [ + { + "name": "createdDateTime", + "displayName": "Created Date Time", + "shape": "date", + "role": "label" + }, + { + "name": "currentScore", + "displayName": "Current Score", + "shape": "number" + }, + { + "pattern": ".*" + } + ], + "providesPluginDiagnostics": true, + "timeframes": false, + "tags": [] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/dataStreams/validation.json b/plugins/MicrosoftDefender/v1/dataStreams/validation.json new file mode 100644 index 0000000..de9e820 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/dataStreams/validation.json @@ -0,0 +1,31 @@ +{ + "name": "validation", + "displayName": "Validation", + "baseDataSourceName": "httpRequestUnscoped", + "config": { + "httpMethod": "get", + "errorHandling": { + "type": "default" + }, + "paging": { + "mode": "none" + }, + "expandInnerObjects": true, + "endpointPath": "alerts", + "pathToData": "value", + "getArgs": [ + { + "key": "$top", + "value": "1", + "needsEncryption": false + } + ], + "headers": [] + }, + "matches": "none", + "timeframes": false, + "providesPluginDiagnostics": true, + "visibility": { + "type": "hidden" + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json new file mode 100644 index 0000000..f9097eb --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/deviceStatus.dash.json @@ -0,0 +1,374 @@ +{ + "name": "Device Status", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "98f315c5-f78d-48e9-842e-836d7d63098a", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exposure Level", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "ExposureLevel", + "linkColumn": "DeviceName", + "labelColumn": "ExposureLevel[Expanded].rawState" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "0f59ed31-bbb4-472a-9220-4236f5c95018", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Inactive" + ], + "unmonitored": [], + "error": [ + "ImpairedCommunication", + "NoSensorData", + "Misconfigured" + ], + "success": [ + "Active" + ], + "unknown": [ + "Unknown" + ] + } + } + ], + "name": "SensorHealthState" + } + ], + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Sensor Health State", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "SensorHealthState", + "linkColumn": "DeviceName", + "labelColumn": "SensorHealthState" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "05a21c56-984c-453e-a8c0-e55c651e1921", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Inactive" + ], + "unmonitored": [], + "error": [ + "ImpairedCommunication", + "NoSensorData", + "Misconfigured" + ], + "success": [ + "Active" + ], + "unknown": [ + "Unknown" + ] + } + } + ], + "name": "SensorHealthState" + } + ], + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Onboarding Status", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "OnboardingStatus", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 3, + "y": 0, + "i": "e5bc7690-9906-4600-a679-7de954d1dab2", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Inactive" + ], + "unmonitored": [], + "error": [ + "ImpairedCommunication", + "NoSensorData", + "Misconfigured" + ], + "success": [ + "Active" + ], + "unknown": [ + "Unknown" + ] + } + } + ], + "name": "SensorHealthState" + } + ], + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Last Seen", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "Timestamp", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 4, + "x": 0, + "y": 3, + "i": "c6be8a43-3759-42bc-9a0e-4edcd654d044", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Attributes", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceCategory", + "DeviceType", + "AssetValue", + "OnboardingStatus" + ], + "hiddenColumns": [ + "Timestamp", + "DeviceName", + "PublicIP", + "OSPlatform", + "AadDeviceId", + "OSVersion", + "SensorHealthState", + "ExposureLevel", + "DeviceManualTags", + "DeviceDynamicTags", + "ExposureLevel[Expanded].rawState" + ], + "transpose": true + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 4, + "x": 2, + "y": 3, + "i": "4907e9c9-db39-4c9c-bd84-d14ad43c753d", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "devices", + "id": "{{dataStreams.devices}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Properties", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "PublicIP", + "OSPlatform", + "OSVersion" + ], + "hiddenColumns": [ + "Timestamp", + "DeviceName", + "AadDeviceId", + "OnboardingStatus", + "DeviceCategory", + "DeviceType", + "SensorHealthState", + "ExposureLevel", + "AssetValue", + "DeviceManualTags", + "DeviceDynamicTags", + "ExposureLevel[Expanded].rawState" + ], + "transpose": true + } + } + } + } + } + ], + "version": 29, + "columns": 4 + }, + "folderPath": ["Devices"], + "variables": [ + "{{variables.Device}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json new file mode 100644 index 0000000..f42d7f9 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/manifest.json @@ -0,0 +1,16 @@ +{ + "items": [ + { + "name": "deviceStatus", + "type": "dashboard" + }, + { + "name": "vulnerabilities", + "type": "dashboard" + }, + { + "name": "recommendations", + "type": "dashboard" + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/recommendations.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/recommendations.dash.json new file mode 100644 index 0000000..27282c3 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/recommendations.dash.json @@ -0,0 +1,273 @@ +{ + "name": "Recommendations", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "f753e7e8-812e-4524-8b28-e22c6f0b7a65", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "recommendations", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + }, + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + } + ] + }, + "id": "{{dataStreams.recommendations}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Active", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "b373bee3-288a-484a-9513-f97a0da2358a", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "recommendations", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + }, + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + } + ] + }, + "id": "{{dataStreams.recommendations}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "Active Recommendations", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Configuration Category", + "visualisation": { + "type": "data-stream-donut-chart", + "config": { + "data-stream-donut-chart": { + "valueColumn": "builtin_count_by_label", + "labelColumn": "ConfigurationCategory" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "2064c456-ed58-4cff-9b69-ab3b47d34726", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "recommendations", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "IsApplicable", + "operation": "equals", + "value": "1" + }, + { + "column": "IsCompliant", + "operation": "equals", + "value": "0" + } + ] + }, + "id": "{{dataStreams.recommendations}}", + "sort": { + "by": [ + [ + "ConfigurationImpact_uniqueValues", + "asc" + ] + ] + }, + "group": { + "by": [ + [ + "ConfigurationImpact", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "Active Recommendations", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Configuration Impact", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "default" + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "ConfigurationImpact_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": false, + "yAxisData": [], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 3, + "moved": false, + "h": 3, + "x": 0, + "y": 3, + "i": "2a620d25-e329-46b7-8614-80f5dba3eb50", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "recommendations", + "id": "{{dataStreams.recommendations}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "List", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceName", + "Timestamp", + "ConfigurationName", + "ConfigurationCategory", + "ConfigurationSubcategory", + "ConfigurationImpact", + "RiskDescription", + "RemediationOptions", + "IsApplicable", + "IsCompliant" + ], + "hiddenColumns": [] + } + } + } + } + } + ], + "version": 19, + "columns": 3 + }, + "folderPath": ["Devices"], + "variables": [ + "{{variables.Device}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/Devices/vulnerabilities.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/Devices/vulnerabilities.dash.json new file mode 100644 index 0000000..5f9e04f --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/Devices/vulnerabilities.dash.json @@ -0,0 +1,309 @@ +{ + "name": "Vulnerabilities", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "ba3fec23-7b56-467a-968b-a3d7ac40131a", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "VulnerabilitySeverityLevel", + "operation": "equals", + "value": "Critical" + } + ] + }, + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Critical", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "616926fc-3f28-439e-9583-f0e457c52f25", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "VulnerabilitySeverityLevel", + "operation": "equals", + "value": "High" + } + ] + }, + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "High", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "4176c082-3de9-45c9-be46-3cf088dfa591", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.Vulnerabilities}}", + "group": { + "by": [ + [ + "VulnerabilitySeverityLevel", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Severity", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#88898C", + "expression": "label == \"Low\"" + }, + { + "color": "#E18700", + "expression": "label == \"Medium\"\n" + }, + { + "color": "#DE0038", + "expression": "label == \"High\"" + }, + { + "color": "#000000", + "expression": "label == \"Critical\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "VulnerabilitySeverityLevel_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 3, + "y": 0, + "i": "5064ef8f-2179-4940-8bee-b5be1b3075f3", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.Vulnerabilities}}", + "group": { + "by": [], + "aggregate": [] + } + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Affected Software", + "visualisation": { + "type": "data-stream-donut-chart", + "config": { + "data-stream-donut-chart": { + "valueColumn": "builtin_count_by_label", + "labelColumn": "SoftwareName" + } + } + } + } + }, + { + "static": false, + "w": 4, + "moved": false, + "h": 3, + "x": 0, + "y": 3, + "i": "5f9a4a61-733d-4581-983b-21357aaab840", + "z": 0, + "config": { + "timeframe": "none", + "variables": [ + "{{variables.Device}}" + ], + "dataStream": { + "name": "Vulnerabilities", + "id": "{{dataStreams.Vulnerabilities}}" + }, + "scope": { + "variable": "{{variables.Device}}", + "workspace": "{{workspaceId}}", + "scope": "{{scopes.Devices}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Vulnerabilities", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "SoftwareName", + "VulnerabilitySeverityLevel", + "CveTags", + "CveGuide" + ], + "hiddenColumns": [ + "DeviceName", + "CveId" + ] + } + } + } + } + } + ], + "version": 22, + "columns": 4 + }, + "folderPath": ["Devices"], + "variables": [ + "{{variables.Device}}" + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json new file mode 100644 index 0000000..e943837 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/cockpit.dash.json @@ -0,0 +1,747 @@ +{ + "name": "Cockpit", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 0, + "y": 0, + "i": "fa1468d7-af16-4947-ba21-d6628350c862", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "secureScoreHistory", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "createdDateTime", + "unit": "days", + "operation": "datewithinlast", + "value": "1" + } + ] + }, + "id": "{{dataStreams.secureScoreHistory}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Current Secure Score", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "currentScore", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 2, + "y": 0, + "i": "b32a8d16-cf6f-47d5-a93b-1169ef209f28", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "secureScoreHistory", + "filter": { + "multiOperation": "and", + "filters": [] + }, + "id": "{{dataStreams.secureScoreHistory}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Secure Score History", + "visualisation": { + "type": "data-stream-line-graph", + "config": { + "data-stream-line-graph": { + "showYAxisLabel": false, + "seriesColumn": "averageComparativeScores", + "showTrendLine": true, + "xAxisColumn": "createdDateTime", + "yAxisColumn": [ + "currentScore" + ], + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 0, + "y": 2, + "i": "635e0de1-af29-4660-aa68-ddc5dd58e0c4", + "z": 0, + "config": { + "dataStream": { + "pluginConfigId": "{{configId}}", + "name": "devices", + "id": "{{dataStreams.devices}}", + "group": { + "by": [ + [ + "ExposureLevel", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + } + }, + "scope": { + "query": "g.V().order().by('__name').hasNot('__canonicalType').or(__.has(\"sourceType\", \"device\")).limit(500)", + "bindings": {}, + "queryDetail": {} + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Device Exposure State", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#88898C", + "expression": "label == \"Unknown\"" + }, + { + "color": "#E18700", + "expression": "label == \"Warning\"" + }, + { + "color": "#DE0038", + "expression": "label == \"Error\"" + }, + { + "color": "#259A51", + "expression": "label == \"Success\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "ExposureLevel_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [ + "count" + ], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 2, + "moved": false, + "h": 2, + "x": 2, + "y": 2, + "i": "4cf492d2-b288-43fb-a730-57875982e71a", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "dataSourceConfig": { + "timeframeCol": "createdDateTime", + "status": [ + "active" + ] + }, + "id": "{{dataStreams.incidents}}", + "group": { + "by": [ + [ + "severity", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Active Incidents", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#88898C", + "expression": "label == \"informational\"" + }, + { + "color": "#0075FF", + "expression": "label == \"low\"" + }, + { + "color": "#E18700", + "expression": "label == \"medium\"" + }, + { + "color": "#DE0038", + "expression": "label == \"high\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "severity_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [ + "count" + ], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 2, + "y": 4, + "i": "02439a74-6d88-49f7-abc5-3a4a19a32a72", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType startswith \"AppControl\"\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Application Control", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 3, + "y": 4, + "i": "118cffa0-90d8-42cf-9d13-5776a1ae47ce", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"ExploitGuardNetworkProtectionBlocked\",\"ExploitGuardNonMicrosoftSignedBlocked\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exploits", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 1, + "y": 4, + "i": "18116acd-6097-4b27-a0f3-9d8cee0c7611", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"UserAccountCreated\",\"ScheduledTaskCreated\",\"ScheduledTaskDeleted\",\"UserAccountModified\",\"UserAccountAddedToLocalGroup\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Persistence & Privilege Escalation", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 0, + "y": 4, + "i": "6aa1942a-8390-4023-9454-b5accc992f77", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"AntivirusDetection\",\"AntivirusDetectionCancelled\",\"AntivirusMalwareActionFailed\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Malware & Antivirus Detected", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 1, + "y": 6, + "i": "b94c9951-c17a-40b1-856f-f9a669d8ac44", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"UserAccountCreated\",\"ScheduledTaskCreated\",\"ScheduledTaskDeleted\",\"UserAccountModified\",\"UserAccountAddedToLocalGroup\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Persistence & Privilege Escalation", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceName_uniqueValues", + "count" + ], + "hiddenColumns": [] + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 2, + "y": 6, + "i": "82ea55ee-eb36-4426-9ffc-a3af01c97297", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType startswith \"AppControl\"\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Application Control", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceName_uniqueValues", + "count" + ], + "hiddenColumns": [] + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 3, + "y": 6, + "i": "78729826-2fb5-4879-b90d-6be92c3cca55", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"ExploitGuardNetworkProtectionBlocked\",\"ExploitGuardNonMicrosoftSignedBlocked\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Exploits", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceName_uniqueValues", + "count" + ], + "hiddenColumns": [] + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 0, + "y": 6, + "i": "3b81144e-1593-4d20-a786-aa4341398f66", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceEvents\n| where ActionType in (\"AntivirusDetection\",\"AntivirusDetectionCancelled\",\"AntivirusMalwareActionFailed\")\n| project Timestamp, DeviceName, ActionType" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "count", + "desc" + ] + ] + }, + "group": { + "by": [ + [ + "DeviceName", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Malware & Antivirus Detected", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [], + "hiddenColumns": [] + } + } + } + } + } + ], + "version": 68, + "columns": 4 + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/devicesHealth.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/devicesHealth.dash.json new file mode 100644 index 0000000..e968dce --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/devicesHealth.dash.json @@ -0,0 +1,492 @@ +{ + "name": "Devices Health", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 0, + "y": 0, + "i": "17f5c681-d30b-4dfe-ad32-0b8ebbfadc5a", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceInfo\n| summarize arg_max(Timestamp, *) by DeviceId\n| where ExposureLevel in (\"High\")" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Medium" + ], + "unmonitored": [], + "error": [ + "High" + ], + "success": [], + "unknown": [ + "Unknown", + "Low" + ] + } + } + ], + "name": "ExposureLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "High Exposure", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 1, + "y": 0, + "i": "6fd231eb-57c4-4dd5-b242-37169d481380", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceInfo\n| summarize arg_max(Timestamp, *) by DeviceId\n| where ExposureLevel in (\"Medium\")" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Medium" + ], + "unmonitored": [], + "error": [ + "High" + ], + "success": [], + "unknown": [ + "Unknown", + "Low" + ] + } + } + ], + "name": "ExposureLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Medium Exposure", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 2, + "y": 0, + "i": "dbfc745f-2a9e-4da0-a0a4-00b465d15382", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceTvmSoftwareVulnerabilities\n| where VulnerabilitySeverityLevel == \"Critical\"\n| summarize Count = count() by DeviceId, DeviceName, VulnerabilitySeverityLevel" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [], + "unmonitored": [], + "error": [ + "Critical" + ], + "success": [], + "unknown": [] + } + } + ], + "name": "VulnerabilitySeverityLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Critical Vulnerabilities", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 3, + "y": 0, + "i": "dae977f8-62ec-494e-96fd-4c52a40ffdc1", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceTvmSecureConfigurationAssessment\n| where IsApplicable == 1 and IsCompliant == 0\n| join kind=leftouter (\n DeviceTvmSecureConfigurationAssessmentKB\n | project ConfigurationId, ConfigurationImpact\n) on ConfigurationId\n| summarize FailingChecks = count(), AvgImpact = round(avg(ConfigurationImpact), 1) by DeviceId, DeviceName\n| sort by AvgImpact desc" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Non-Compliant Devices", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": { + "type": "count" + }, + "comparisonColumn": "none", + "label": "devices" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 2, + "i": "330e04e3-66e2-4fc0-b039-68e98a5cea54", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceInfo\n| summarize arg_max(Timestamp, *) by DeviceId\n| where ExposureLevel in (\"High\")" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Medium" + ], + "unmonitored": [], + "error": [ + "High" + ], + "success": [], + "unknown": [ + "Unknown", + "Low" + ] + } + } + ], + "name": "ExposureLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "DeviceName", + "asc" + ] + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "High Exposure", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "ExposureLevel", + "linkColumn": "none", + "columns": 1, + "labelColumn": "DeviceName" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 2, + "i": "7e0232af-99a7-4aab-8cac-de8fb32f5bb2", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceInfo\n| summarize arg_max(Timestamp, *) by DeviceId\n| where ExposureLevel in (\"Medium\")" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [ + "Medium" + ], + "unmonitored": [], + "error": [ + "High" + ], + "success": [], + "unknown": [ + "Unknown", + "Low" + ] + } + } + ], + "name": "ExposureLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "DeviceName", + "asc" + ] + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Medium Exposure", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "ExposureLevel", + "linkColumn": "none", + "columns": 1, + "labelColumn": "DeviceName" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 2, + "i": "9c474d31-5530-47d6-9b7e-2b4f6240dbac", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceTvmSoftwareVulnerabilities\n| where VulnerabilitySeverityLevel == \"Critical\"\n| summarize Count = count() by DeviceId, DeviceName, VulnerabilitySeverityLevel" + }, + "metadata": [ + { + "shape": [ + "state", + { + "map": { + "warning": [], + "unmonitored": [], + "error": [ + "Critical" + ], + "success": [], + "unknown": [] + } + } + ], + "name": "VulnerabilitySeverityLevel" + }, + { + "pattern": ".*" + } + ], + "id": "{{dataStreams.advancedHuntingQuery}}", + "sort": { + "by": [ + [ + "DeviceName", + "asc" + ] + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Critical Vulnerabilities", + "visualisation": { + "type": "data-stream-blocks", + "config": { + "data-stream-blocks": { + "stateColumn": "VulnerabilitySeverityLevel", + "linkColumn": "none", + "columns": 1, + "labelColumn": "DeviceId" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 3, + "y": 2, + "i": "2d5b3575-9c94-4578-9365-4b145bb0e505", + "z": 0, + "config": { + "dataStream": { + "name": "advancedHuntingQuery", + "dataSourceConfig": { + "query": "DeviceTvmSecureConfigurationAssessment\n| where IsApplicable == 1 and IsCompliant == 0\n| join kind=leftouter (\n DeviceTvmSecureConfigurationAssessmentKB\n | project ConfigurationId, ConfigurationImpact\n) on ConfigurationId\n| summarize FailingChecks = count(), AvgImpact = round(avg(ConfigurationImpact), 1) by DeviceId, DeviceName\n| sort by AvgImpact desc" + }, + "id": "{{dataStreams.advancedHuntingQuery}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Non-Compliant Devices", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "DeviceName", + "FailingChecks", + "AvgImpact" + ], + "hiddenColumns": [ + "DeviceId", + "FailingChecks@odata.type" + ] + } + } + } + } + } + ], + "version": 74, + "columns": 4 + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/incidents.dash.json b/plugins/MicrosoftDefender/v1/defaultContent/incidents.dash.json new file mode 100644 index 0000000..66922d7 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/incidents.dash.json @@ -0,0 +1,513 @@ +{ + "name": "Incidents", + "schemaVersion": "1.5", + "dashboard": { + "_type": "layout/grid", + "contents": [ + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 0, + "y": 0, + "i": "e3f824fc-1347-4f89-804c-6a303dd9a0b6", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "dataSourceConfig": { + "timeframeCol": "createdDateTime", + "status": [ + "active" + ] + }, + "id": "{{dataStreams.incidents}}", + "group": { + "by": [ + [ + "severity", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Active Incidents", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#88898C", + "expression": "label == \"informational\"" + }, + { + "color": "#0075FF", + "expression": "label == \"low\"" + }, + { + "color": "#E18700", + "expression": "label == \"medium\"" + }, + { + "color": "#DE0038", + "expression": "label == \"high\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "severity_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [ + "count" + ], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 1, + "y": 0, + "i": "16aaf8ad-3716-4ebe-a7f5-0266e6dc43e3", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "filter": { + "multiOperation": "and", + "filters": [ + { + "column": "assignedTo", + "operation": "empty" + } + ] + }, + "dataSourceConfig": { + "timeframeCol": "createdDateTime", + "status": [ + "active" + ] + }, + "id": "{{dataStreams.incidents}}", + "group": { + "by": [ + [ + "assignedTo", + "uniqueValues" + ] + ], + "aggregate": [ + { + "type": "count" + } + ] + }, + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Unassigned Incidents", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#88898C", + "expression": "label == \"informational\"" + }, + { + "color": "#0075FF", + "expression": "label == \"low\"" + }, + { + "color": "#E18700", + "expression": "label == \"medium\"" + }, + { + "color": "#DE0038", + "expression": "label == \"high\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "severity_uniqueValues", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [ + "count" + ], + "showYAxisLabel": false, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": false + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 3, + "x": 2, + "y": 0, + "i": "60e82d47-1bac-4f2e-9092-5f4d3fecda1b", + "z": 0, + "config": { + "timeframe": "last30days", + "dataStream": { + "dataSourceConfig": { + "version": "2.0", + "tables": [ + { + "config": { + "timeframe": "last30days", + "activePluginConfigIds": [ + "{{configId}}" + ], + "dataStream": { + "name": "incidents", + "dataSourceConfig": { + "timeframeCol": "createdDateTime", + "status": [ + "resolved" + ] + }, + "id": "{{dataStreams.incidents}}", + "pluginConfigId": "{{configId}}" + } + }, + "tableName": "dataset1" + } + ], + "sql": "WITH\n \"time_diffs\" AS (\n SELECT\n \"id\",\n DATE_DIFF(\n 'second',\n COALESCE(\"createdDateTime\", CURRENT_TIMESTAMP),\n COALESCE(\"lastUpdateDateTime\", CURRENT_TIMESTAMP)\n ) / 60 AS \"time_to_resolve_minutes\"\n FROM\n \"dataset1\"\n )\nSELECT\n AVG(\"time_to_resolve_minutes\") AS \"average_time_to_resolve_minutes\"\nFROM\n \"time_diffs\"" + }, + "metadata": [ + { + "shape": [ + "minutes", + { + "formatDuration": true, + "thousandsSeparator": true + } + ], + "name": "average_time_to_resolve_minutes" + }, + { + "pattern": ".*" + } + ], + "id": "datastream-sql" + }, + "scope": { + "query": "g.V().has('id', within(ids_eUAV7eEoSQHE0Wbi3Lh6))", + "bindings": { + "ids_eUAV7eEoSQHE0Wbi3Lh6": [ + "node-1dwkxV4HX7weIEfnX1SJ0yanRi4ZRTdjDSDUa-rb51OklLHaz1kod9h6nV" + ] + }, + "queryDetail": { + "ids": [ + "node-1dwkxV4HX7weIEfnX1SJ0yanRi4ZRTdjDSDUa-rb51OklLHaz1kod9h6nV" + ] + } + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "Average Time To Resolve", + "visualisation": { + "type": "data-stream-scalar", + "config": { + "data-stream-scalar": { + "value": "average_time_to_resolve_minutes", + "comparisonColumn": "none" + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 0, + "y": 3, + "i": "be10e34d-6f6c-4679-8588-b3f9f9a7ebac", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "id": "{{dataStreams.incidents}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "By Severity", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "custom", + "customColors": [ + { + "color": "#0075FF", + "expression": "label == \"informational\"" + }, + { + "color": "#88898C", + "expression": "label == \"low\"" + }, + { + "color": "#E18700", + "expression": "label == \"medium\"" + }, + { + "color": "#DE0038", + "expression": "label == \"high\"" + } + ] + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "severity", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 1, + "y": 3, + "i": "0a957b15-b43c-4bb6-81d8-88a5db59ba7e", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "id": "{{dataStreams.incidents}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "By Status", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "default" + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "status", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": true, + "yAxisData": [], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 1, + "moved": false, + "h": 2, + "x": 2, + "y": 3, + "i": "366eab62-bcdd-45cb-945e-6d247fb27bbc", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "id": "{{dataStreams.incidents}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "By Priority Score", + "visualisation": { + "type": "data-stream-bar-chart", + "config": { + "data-stream-bar-chart": { + "color": { + "type": "default" + }, + "xAxisGroup": "none", + "showLegend": false, + "range": { + "type": "auto" + }, + "showGrid": true, + "grouping": false, + "displayMode": "actual", + "xAxisData": "priorityScore", + "showTotals": false, + "yAxisLabel": "", + "horizontalLayout": "vertical", + "showValue": false, + "yAxisData": [], + "showYAxisLabel": true, + "xAxisLabel": "", + "legendPosition": "bottom", + "showXAxisLabel": true + } + } + } + } + }, + { + "static": false, + "w": 3, + "moved": false, + "h": 3, + "x": 0, + "y": 5, + "i": "1ee38916-e315-4cca-969d-ce93e9bbb228", + "z": 0, + "config": { + "timeframe": "none", + "dataStream": { + "name": "incidents", + "id": "{{dataStreams.incidents}}", + "pluginConfigId": "{{configId}}" + }, + "_type": "tile/data-stream", + "description": "", + "activePluginConfigIds": [ + "{{configId}}" + ], + "title": "List", + "visualisation": { + "type": "data-stream-table", + "config": { + "data-stream-table": { + "columnOrder": [ + "id", + "tenantId", + "status", + "incidentWebUrl", + "redirectIncidentId", + "displayName", + "createdDateTime", + "lastUpdateDateTime", + "assignedTo", + "classification", + "determination", + "severity", + "description", + "lastModifiedBy", + "resolvingComment", + "summary", + "priorityScore", + "systemTags.0" + ], + "hiddenColumns": [] + } + } + } + } + } + ], + "version": 39, + "columns": 3 + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/manifest.json b/plugins/MicrosoftDefender/v1/defaultContent/manifest.json new file mode 100644 index 0000000..0421509 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/manifest.json @@ -0,0 +1,20 @@ +{ + "items": [ + { + "name": "cockpit", + "type": "dashboard" + }, + { + "name": "devicesHealth", + "type": "dashboard" + }, + { + "name": "incidents", + "type": "dashboard" + }, + { + "name": "Devices", + "type": "folder" + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/defaultContent/scopes.json b/plugins/MicrosoftDefender/v1/defaultContent/scopes.json new file mode 100644 index 0000000..f275fb4 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/defaultContent/scopes.json @@ -0,0 +1,19 @@ +[ + { + "name": "Devices", + "matches": { + "sourceType": { + "type": "oneOf", + "values": [ + "device" + ] + } + }, + "variable": { + "name": "Device", + "type": "object", + "default": "none", + "allowMultipleSelection": false + } + } +] \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/icon.png b/plugins/MicrosoftDefender/v1/icon.png new file mode 100644 index 0000000..a34e4d4 Binary files /dev/null and b/plugins/MicrosoftDefender/v1/icon.png differ diff --git a/plugins/MicrosoftDefender/v1/indexDefinitions/default.json b/plugins/MicrosoftDefender/v1/indexDefinitions/default.json new file mode 100644 index 0000000..b84def4 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/indexDefinitions/default.json @@ -0,0 +1,29 @@ +{ + "steps": [ + { + "name": "Import Devices", + "dataStream": { + "name": "listDevices" + }, + "timeframe": "none", + "objectMapping": { + "id": "DeviceId", + "name": "DeviceName", + "type": { + "value": "device" + }, + "properties": [ + "OSPlatform", + "OSProcessor", + "OSVersion", + "PublicIP", + "OSBuild", + "OSArchitecture", + { + "deviceid": "DeviceId" + } + ] + } + } + ] +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/metadata.json b/plugins/MicrosoftDefender/v1/metadata.json new file mode 100644 index 0000000..1a20157 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "microsoft-defender", + "displayName": "Microsoft Defender", + "version": "1.0.0", + "author": { + "name": "SquaredUp Labs", + "type": "labs" + }, + "description": "Visualize Defender insights including advanced hunting, exposure, devices, and vulnerabilities.", + "category": "Monitoring", + "type": "hybrid", + "schemaVersion": "2.0", + "base": { + "plugin": "WebAPI", + "majorVersion": "1", + "config": { + "oauth2TokenExtraArgs": [ + { + "value": "client_credentials", + "key": "grant_type" + }, + { + "value": "https://graph.microsoft.com/.default", + "key": "scope" + } + ], + "oauth2ClientSecret": "{{clientSecret}}", + "oauth2ClientSecretLocationDuringAuth": "body", + "authMode": "oauth2", + "oauth2GrantType": "clientCredentials", + "baseUrl": "https://graph.microsoft.com/v1.0/security/", + "oauth2TokenExtraHeaders": [ + { + "value": "application/x-www-form-urlencoded", + "key": "Content-Type" + } + ], + "oauth2TokenUrl": "https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token", + "oauth2ClientId": "{{clientId}}", + "oauth2Scope": "https://graph.microsoft.com/.default" + } + } +} \ No newline at end of file diff --git a/plugins/MicrosoftDefender/v1/ui.json b/plugins/MicrosoftDefender/v1/ui.json new file mode 100644 index 0000000..f06ad63 --- /dev/null +++ b/plugins/MicrosoftDefender/v1/ui.json @@ -0,0 +1,29 @@ +[ + { + "type": "text", + "name": "tenantId", + "label": "Directory (tenant) ID", + "placeholder": "Enter a directory (tenant) ID", + "validation": { + "required": true + } + }, + { + "type": "text", + "name": "clientId", + "label": "Application (client) ID", + "placeholder": "Enter an application (client) ID", + "validation": { + "required": true + } + }, + { + "type": "password", + "name": "clientSecret", + "label": "Client secret", + "placeholder": "Enter a client secret", + "validation": { + "required": true + } + } +] \ No newline at end of file