From a0933d40b49b84f6ac0635b11c83329498abbe90 Mon Sep 17 00:00:00 2001 From: Johnny O'Neill <139136675+joneill-r7@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:24:13 +0000 Subject: [PATCH 1/3] SOAR-18473: Bump MS ATP to latest SDK image (#3016) --- plugins/microsoft_atp/.CHECKSUM | 6 +++--- plugins/microsoft_atp/Dockerfile | 2 +- plugins/microsoft_atp/bin/komand_microsoft_atp | 2 +- plugins/microsoft_atp/help.md | 3 ++- plugins/microsoft_atp/plugin.spec.yaml | 5 +++-- plugins/microsoft_atp/setup.py | 2 +- 6 files changed, 11 insertions(+), 9 deletions(-) diff --git a/plugins/microsoft_atp/.CHECKSUM b/plugins/microsoft_atp/.CHECKSUM index 7960d38bd5..e08785a4df 100644 --- a/plugins/microsoft_atp/.CHECKSUM +++ b/plugins/microsoft_atp/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "934e6a0e86aaf3bfeaf24c22d52b2f4f", - "manifest": "4702833d54d4ebd07beee1e4ac146a61", - "setup": "b11db1dff4ae3bd168fabd3691c4fd78", + "spec": "b247f2cc2b894b70b8e6bc2d9f630077", + "manifest": "e15eee3183e32aca45667b79fbdca373", + "setup": "d291d680acf58e924d74b9baf70b537e", "schemas": [ { "identifier": "blacklist/schema.py", diff --git a/plugins/microsoft_atp/Dockerfile b/plugins/microsoft_atp/Dockerfile index 58dd84b2a0..739f8ff40d 100755 --- a/plugins/microsoft_atp/Dockerfile +++ b/plugins/microsoft_atp/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.1.2 +FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.2.2 LABEL organization=rapid7 LABEL sdk=python diff --git a/plugins/microsoft_atp/bin/komand_microsoft_atp b/plugins/microsoft_atp/bin/komand_microsoft_atp index 97b3d6658c..ffd45bc423 100755 --- a/plugins/microsoft_atp/bin/komand_microsoft_atp +++ b/plugins/microsoft_atp/bin/komand_microsoft_atp @@ -6,7 +6,7 @@ from sys import argv Name = "Microsoft Windows Defender ATP" Vendor = "rapid7" -Version = "6.0.0" +Version = "6.0.1" Description = "The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files" diff --git a/plugins/microsoft_atp/help.md b/plugins/microsoft_atp/help.md index 70de0cc911..4b55c70acd 100644 --- a/plugins/microsoft_atp/help.md +++ b/plugins/microsoft_atp/help.md @@ -1335,6 +1335,7 @@ Example output: # Version History +* 6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities * 6.0.0 - Updated SDK to the latest version | Initial updates for fedramp compliance * 5.2.0 - Add new action: Update Alert * 5.1.0 - Adding the following as new action types to `blacklist` action ['Warn', 'Block', 'Audit'] | Add a new flag in the `blacklist` action to toggle generateAlerts flag | Bump SDK to version 5.4.9 @@ -1369,4 +1370,4 @@ Example output: ## References * [Windows Defender ATP API Start Page](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-apis) -* [Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list) +* [Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list) \ No newline at end of file diff --git a/plugins/microsoft_atp/plugin.spec.yaml b/plugins/microsoft_atp/plugin.spec.yaml index c8504cb3e9..8326e3eda0 100644 --- a/plugins/microsoft_atp/plugin.spec.yaml +++ b/plugins/microsoft_atp/plugin.spec.yaml @@ -4,7 +4,7 @@ products: ["insightconnect"] name: microsoft_atp title: Microsoft Windows Defender ATP description: The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files -version: 6.0.0 +version: 6.0.1 connection_version: 6 supported_versions: ["2024-05-21"] vendor: rapid7 @@ -27,7 +27,7 @@ hub_tags: features: [] sdk: type: full - version: 6.1.2 + version: 6.2.2 user: nobody links: - "[Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)" @@ -35,6 +35,7 @@ references: - "[Windows Defender ATP API Start Page](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-apis)" - "[Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list)" version_history: + - "6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities" - "6.0.0 - Updated SDK to the latest version | Initial updates for fedramp compliance" - "5.2.0 - Add new action: Update Alert" - "5.1.0 - Adding the following as new action types to `blacklist` action ['Warn', 'Block', 'Audit'] | Add a new flag in the `blacklist` action to toggle generateAlerts flag | Bump SDK to version 5.4.9" diff --git a/plugins/microsoft_atp/setup.py b/plugins/microsoft_atp/setup.py index c63aca2c22..f68a98263e 100644 --- a/plugins/microsoft_atp/setup.py +++ b/plugins/microsoft_atp/setup.py @@ -3,7 +3,7 @@ setup(name="microsoft_atp-rapid7-plugin", - version="6.0.0", + version="6.0.1", description="The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files", author="rapid7", author_email="", From e8e529f2568f9c089a06836fc7bacf319fc97b57 Mon Sep 17 00:00:00 2001 From: Johnny O'Neill <139136675+joneill-r7@users.noreply.github.com> Date: Mon, 13 Jan 2025 15:30:38 +0000 Subject: [PATCH 2/3] SOAR-18525: rename to defender for endpoint (#3043) --- plugins/microsoft_atp/.CHECKSUM | 6 +++--- plugins/microsoft_atp/bin/komand_microsoft_atp | 4 ++-- plugins/microsoft_atp/help.md | 12 ++++-------- plugins/microsoft_atp/plugin.spec.yaml | 8 +++++--- plugins/microsoft_atp/setup.py | 2 +- 5 files changed, 15 insertions(+), 17 deletions(-) diff --git a/plugins/microsoft_atp/.CHECKSUM b/plugins/microsoft_atp/.CHECKSUM index e08785a4df..e687647814 100644 --- a/plugins/microsoft_atp/.CHECKSUM +++ b/plugins/microsoft_atp/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "b247f2cc2b894b70b8e6bc2d9f630077", - "manifest": "e15eee3183e32aca45667b79fbdca373", - "setup": "d291d680acf58e924d74b9baf70b537e", + "spec": "d157b791788b17b2b6d2de127320f5c1", + "manifest": "8f26bd28e949cfda8dfce9f0036777a3", + "setup": "9ceeb89f2b17b0f547706b3639287496", "schemas": [ { "identifier": "blacklist/schema.py", diff --git a/plugins/microsoft_atp/bin/komand_microsoft_atp b/plugins/microsoft_atp/bin/komand_microsoft_atp index ffd45bc423..a465bb1648 100755 --- a/plugins/microsoft_atp/bin/komand_microsoft_atp +++ b/plugins/microsoft_atp/bin/komand_microsoft_atp @@ -4,10 +4,10 @@ import os import json from sys import argv -Name = "Microsoft Windows Defender ATP" +Name = "Microsoft Defender for Endpoint" Vendor = "rapid7" Version = "6.0.1" -Description = "The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files" +Description = "The Microsoft Defender for Endpoint plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files" def main(): diff --git a/plugins/microsoft_atp/help.md b/plugins/microsoft_atp/help.md index 4b55c70acd..ad1c520454 100644 --- a/plugins/microsoft_atp/help.md +++ b/plugins/microsoft_atp/help.md @@ -1,6 +1,6 @@ # Description -The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files +The Microsoft Defender for Endpoint plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files # Key Features @@ -21,10 +21,6 @@ The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConn ## Setup -This plugin uses the Windows Defender ATP API. It will use an Azure application to connect to the API and run actions from InsightConnect. - -For information on how to setup your application and assign permissions go here: -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp The connection configuration accepts the following parameters: |Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip| @@ -1330,12 +1326,12 @@ Example output: ## Troubleshooting - -*This plugin does not contain a troubleshooting.* + +* For information on how to setup your Azure application and assign permissions go [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) # Version History -* 6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities +* 6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities | Rebrand to `Microsoft Defender for Endpoint` * 6.0.0 - Updated SDK to the latest version | Initial updates for fedramp compliance * 5.2.0 - Add new action: Update Alert * 5.1.0 - Adding the following as new action types to `blacklist` action ['Warn', 'Block', 'Audit'] | Add a new flag in the `blacklist` action to toggle generateAlerts flag | Bump SDK to version 5.4.9 diff --git a/plugins/microsoft_atp/plugin.spec.yaml b/plugins/microsoft_atp/plugin.spec.yaml index 8326e3eda0..80943b9bc1 100644 --- a/plugins/microsoft_atp/plugin.spec.yaml +++ b/plugins/microsoft_atp/plugin.spec.yaml @@ -2,8 +2,8 @@ plugin_spec_version: v2 extension: plugin products: ["insightconnect"] name: microsoft_atp -title: Microsoft Windows Defender ATP -description: The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files +title: Microsoft Defender for Endpoint +description: The Microsoft Defender for Endpoint plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files version: 6.0.1 connection_version: 6 supported_versions: ["2024-05-21"] @@ -29,13 +29,15 @@ sdk: type: full version: 6.2.2 user: nobody +troubleshooting: + - "For information on how to setup your Azure application and assign permissions go [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp)" links: - "[Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)" references: - "[Windows Defender ATP API Start Page](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-apis)" - "[Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list)" version_history: - - "6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities" + - "6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities | Rebrand to `Microsoft Defender for Endpoint`" - "6.0.0 - Updated SDK to the latest version | Initial updates for fedramp compliance" - "5.2.0 - Add new action: Update Alert" - "5.1.0 - Adding the following as new action types to `blacklist` action ['Warn', 'Block', 'Audit'] | Add a new flag in the `blacklist` action to toggle generateAlerts flag | Bump SDK to version 5.4.9" diff --git a/plugins/microsoft_atp/setup.py b/plugins/microsoft_atp/setup.py index f68a98263e..a8fe8250b0 100644 --- a/plugins/microsoft_atp/setup.py +++ b/plugins/microsoft_atp/setup.py @@ -4,7 +4,7 @@ setup(name="microsoft_atp-rapid7-plugin", version="6.0.1", - description="The Windows Defender Advanced Threat Protection plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files", + description="The Microsoft Defender for Endpoint plugin allows Rapid7 InsightConnect users to quickly take remediation actions across their organization. This plugin can isolate machines, run virus scans, and quarantine files", author="rapid7", author_email="", url="", From af19b365a6dcc70f553a0248417c9bc66dc5f190 Mon Sep 17 00:00:00 2001 From: Johnny O'Neill <139136675+joneill-r7@users.noreply.github.com> Date: Thu, 16 Jan 2025 10:04:30 +0000 Subject: [PATCH 3/3] SOAR-18525 - missed links in rename (#3049) * SOAR-18525 - missed links in rename * SOAR-18525 - use latest SDK --- plugins/microsoft_atp/.CHECKSUM | 2 +- plugins/microsoft_atp/Dockerfile | 2 +- plugins/microsoft_atp/help.md | 6 +++--- plugins/microsoft_atp/plugin.spec.yaml | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/microsoft_atp/.CHECKSUM b/plugins/microsoft_atp/.CHECKSUM index e687647814..8369b34dbf 100644 --- a/plugins/microsoft_atp/.CHECKSUM +++ b/plugins/microsoft_atp/.CHECKSUM @@ -1,5 +1,5 @@ { - "spec": "d157b791788b17b2b6d2de127320f5c1", + "spec": "a042dbc96e9aab3886c0463b573a4654", "manifest": "8f26bd28e949cfda8dfce9f0036777a3", "setup": "9ceeb89f2b17b0f547706b3639287496", "schemas": [ diff --git a/plugins/microsoft_atp/Dockerfile b/plugins/microsoft_atp/Dockerfile index 739f8ff40d..47a10b508e 100755 --- a/plugins/microsoft_atp/Dockerfile +++ b/plugins/microsoft_atp/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.2.2 +FROM --platform=linux/amd64 rapid7/insightconnect-python-3-plugin:6.2.3 LABEL organization=rapid7 LABEL sdk=python diff --git a/plugins/microsoft_atp/help.md b/plugins/microsoft_atp/help.md index ad1c520454..0275f7cea8 100644 --- a/plugins/microsoft_atp/help.md +++ b/plugins/microsoft_atp/help.md @@ -1361,9 +1361,9 @@ Example output: # Links -* [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp) +* [Windows Defender for Endpoint](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint) ## References -* [Windows Defender ATP API Start Page](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-apis) -* [Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list) \ No newline at end of file +* [Windows Defender for Endpoint API Start Page](https://learn.microsoft.com/en-us/defender-endpoint/api/apis-intro) +* [Windows Defender for Endpoint API Endpoints](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) \ No newline at end of file diff --git a/plugins/microsoft_atp/plugin.spec.yaml b/plugins/microsoft_atp/plugin.spec.yaml index 80943b9bc1..28e8056a99 100644 --- a/plugins/microsoft_atp/plugin.spec.yaml +++ b/plugins/microsoft_atp/plugin.spec.yaml @@ -27,15 +27,15 @@ hub_tags: features: [] sdk: type: full - version: 6.2.2 + version: 6.2.3 user: nobody troubleshooting: - "For information on how to setup your Azure application and assign permissions go [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp)" links: - - "[Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)" + - "[Windows Defender for Endpoint](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint)" references: - - "[Windows Defender ATP API Start Page](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-apis)" - - "[Windows Defender ATP API Endpoints](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/exposed-apis-list)" + - "[Windows Defender for Endpoint API Start Page](https://learn.microsoft.com/en-us/defender-endpoint/api/apis-intro)" + - "[Windows Defender for Endpoint API Endpoints](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list)" version_history: - "6.0.1 - Update to latest SDK (v6.2.2) | Address vulnerabilities | Rebrand to `Microsoft Defender for Endpoint`" - "6.0.0 - Updated SDK to the latest version | Initial updates for fedramp compliance"