Skip to content

New Defender Plugin #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jame2O merged 50 commits into from
Jun 12, 2026
Merged

New Defender Plugin #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
1ac93de
feat: initial commit
jame2O May 13, 2026
44dab77
feat: basic test button
jame2O May 14, 2026
46cf8de
feat: Alerts data stream
jame2O May 14, 2026
03c6f1c
chore: add none timeframe to defender
jame2O May 15, 2026
9f5145f
feat: graph plugin
jame2O Jun 1, 2026
5ac42fb
chore: delete old plugin
jame2O Jun 1, 2026
6e0c295
chore: add manual config apply to hunting query
jame2O Jun 1, 2026
1063f37
chore: manual config apply for alerts and incidents
jame2O Jun 2, 2026
284da4c
chore: rename Defender Device source type to device
jame2O Jun 2, 2026
6b97fb0
feat: update device status OOB dash
jame2O Jun 2, 2026
9b0ff1b
chore: update metadata
jame2O Jun 3, 2026
ab26377
fix: update 'New' Status val
jame2O Jun 3, 2026
936311c
chore: update alerts metadata
jame2O Jun 3, 2026
23c954a
chore: update devices metadata
jame2O Jun 3, 2026
9da3a2b
fix: hide undefined columns in meta devices
jame2O Jun 3, 2026
b86e2df
chore: update timeframe options for incidents and alerts
jame2O Jun 3, 2026
e258150
fix: remove bad options
jame2O Jun 3, 2026
c3a730d
chore: move timeframe fields to timeframe tab
jame2O Jun 3, 2026
655b37a
chore: add recommendations metadata
jame2O Jun 3, 2026
c7cbf84
chore: add SSH metadata
jame2O Jun 3, 2026
92bcf5e
Update plugins/MicrosoftDefender/v1/configValidation.json
jame2O Jun 3, 2026
cb761ec
Update plugins/MicrosoftDefender/v1/configValidation.json
jame2O Jun 3, 2026
abb6586
chore: remove redundant config
jame2O Jun 4, 2026
cb4d97e
fix: remove custom col for ExposureLevel
jame2O Jun 4, 2026
56f8d4a
fix: fixes for recommendations
jame2O Jun 4, 2026
4ac539e
chore: re-enable timeframes for recommendations
jame2O Jun 4, 2026
dc13551
fix: some things for vulns, recomms
jame2O Jun 5, 2026
7773ca5
chore: rename title to Alert Name (alerts)
jame2O Jun 9, 2026
2258fe9
fix: remove hide-rest metadata
jame2O Jun 9, 2026
4fd3dab
feat: new OOB dashboards
jame2O Jun 9, 2026
f86db32
fix: add folder paths to Devices OOBs
jame2O Jun 9, 2026
77cbc01
fix: show CVE ID label
jame2O Jun 9, 2026
79eb36a
feat: README v1
jame2O Jun 10, 2026
43b88ed
feat: new config test steps
jame2O Jun 10, 2026
4cdf819
chore: update README
jame2O Jun 10, 2026
3f8757c
chore: README v3
jame2O Jun 10, 2026
fbb6b87
chore: README v4
jame2O Jun 10, 2026
917a331
chore: add links to metadata
jame2O Jun 10, 2026
4de0cbc
Revise README for Microsoft Defender plugin
vinbab Jun 10, 2026
ab93948
Merge branch 'main' into work/jd/defender
jame2O Jun 11, 2026
545f162
chore: update config validation error messages, change some to warnin…
jame2O Jun 11, 2026
1294971
fix: minor mistakes in README
jame2O Jun 11, 2026
13f410c
feat: name change
jame2O Jun 11, 2026
4e15aba
chore: remove beta label from name
jame2O Jun 12, 2026
80ff42f
chore: capitalize object names
jame2O Jun 12, 2026
4c324fa
feat: add "Current Score %" tile to Cockpit OOB
jame2O Jun 12, 2026
ce3dac3
fix: change references to deviceid to rawId
jame2O Jun 12, 2026
0beee10
Fix: do not import devices without a DeviceName
jame2O Jun 12, 2026
e65d8f7
style: add all data stream descriptions
jame2O Jun 12, 2026
4400a1d
fix: add count col to Configuration Impact tile
jame2O Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions plugins/MicrosoftDefender/v1/configValidation.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"steps": [
{
"displayName": "Alerts access",
"dataStream": { "name": "validationAlerts" },
"success": "Successfully read alerts.",
"error": "Cannot read alerts. Grant the 'SecurityAlert.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret.",
"required": true
},
{
"displayName": "Incidents access",
"dataStream": { "name": "validationIncidents" },
"success": "Successfully read incidents.",
"error": "Cannot read incidents. Grant the 'SecurityIncident.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret."
},
{
"displayName": "Advanced hunting access",
"dataStream": { "name": "validationHunting" },
"success": "Successfully ran an advanced hunting query.",
"error": "Cannot run advanced hunting queries. Grant the 'ThreatHunting.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret.",
"required": true
},
{
"displayName": "Secure score access",
"dataStream": { "name": "validationSecureScore" },
"success": "Successfully read secure scores.",
"error": "Cannot read secure scores. Grant the 'SecurityEvents.Read.All' application permission in Microsoft Entra ID, or check your client ID and secret."
}
]
}
9 changes: 9 additions & 0 deletions plugins/MicrosoftDefender/v1/custom_types.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[
{
"name": "Device",
"sourceType": "Device",
"icon": "desktop",
"singular": "Device",
"plural": "Devices"
}
]
77 changes: 77 additions & 0 deletions plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"name": "Vulnerabilities",
"displayName": "Vulnerabilities",
"description": "Returns vulnerabilities data for the specified device",
"baseDataSourceName": "httpRequestScoped",
"config": {
"httpMethod": "post",
"errorHandling": {
"type": "default"
},
"paging": {
"mode": "none"
},
"expandInnerObjects": true,
"endpointPath": "runHuntingQuery",
"postBody": {
"Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.rawId}\"`}).join(\",\")}})",
"Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
},
"pathToData": "results",
"getArgs": [],
"headers": []
},
"metadata": [
{
"name": "CveGuide",
"displayName": "Cve Id",
"valueExpression": "{{ $['CveId'] ? `https://msrc.microsoft.com/update-guide/vulnerability/${$['CveId']}` : '' }}",
"formatExpression": "{{ $['CveId'] }}",
"shape": "url",
"computed": true
},
{
"name": "CveId",
"displayName": "CVE Id",
"shape": "string",
"visible": false,
"role": "label"
},
{
"name": "VulnerabilitySeverityLevel",
"displayName": "Severity",
"shape": "string",
"role": "label"
},
{
"name": "SoftwareName",
"displayName": "Affected Software",
"shape": "string",
"role": "label"
},
{
"name": "CveTags",
"displayName": "Tags",
"shape": "string",
"role": "label"
},
{
"sourceId": "DeviceId",
"name": "DeviceName",
"shape": "string",
"visible": false,
"role": "label",
"sourceType": "Device"
}
],
"matches": {
"sourceType": {
"type": "equals",
"value": "Device"
}
},
"timeframes": false,
"providesPluginDiagnostics": true,
"objectLimit": 1,
"tags": []
}
52 changes: 52 additions & 0 deletions plugins/MicrosoftDefender/v1/dataStreams/advancedHuntingQuery.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"name": "advancedHuntingQuery",
"displayName": "Advanced Hunting Query",
"description": "Queries a specified set of data supported by Defender to proactively look for specific threats in your environment",
"baseDataSourceName": "httpRequestUnscoped",
"config": {
"httpMethod": "post",
"errorHandling": {
"type": "default"
},
"paging": {
"mode": "none"
},
"expandInnerObjects": true,
"endpointPath": "runHuntingQuery",
"postBody": {
"Query": "{{query}}",
"Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
},
"pathToData": "results",
"getArgs": [],
"headers": []
},
"timeframes": [
"last1hour",
"last12hours",
"last24hours",
"last7days",
"last30days",
"thisMonth",
"thisQuarter",
"thisYear",
"lastMonth",
"lastQuarter",
"lastYear"
],
"supportsNoneTimeframe": true,
"providesPluginDiagnostics": true,
"manualConfigApply": true,
"tags": [],
"ui": [
{
"name": "query",
"language": "kusto",
"label": "Query",
"type": "code",
"validation": {
"required": true
}
}
]
}
218 changes: 218 additions & 0 deletions plugins/MicrosoftDefender/v1/dataStreams/alerts.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,218 @@
{
"name": "alerts",
"displayName": "Alerts",
"description": "Returns a list of alert resources created to track suspicious activities in an organization",
"baseDataSourceName": "httpRequestUnscoped",
"config": {
"httpMethod": "get",
"errorHandling": {
"type": "default"
},
"paging": {
"mode": "nextUrl",
"pageSize": {
"realm": {
"value": "none",
"label": "none"
}
},
"in": {
"realm": {
"value": "payload",
"label": "payload"
},
"path": "@odata.nextLink"
}
},
"expandInnerObjects": true,
"endpointPath": "alerts_v2",
"pathToData": "value",
"getArgs": [
{
"key": "$filter",
"value": "{{ status && status.length > 0 ? \"(status eq \" + status.map((m) => { return `'${m}'` }).join(\" or status eq \") + \") and \" : \"\" }}{{ severity && severity.length > 0 ? \"(severity eq \" + severity.map((m) => { return `'${m}'` }).join(\" or severity eq \") + \") and \" : \"\" }}{{timeframe.enum !== \"none\" ? timeframeCol + \" ge \" + timeframe.start + \" and \" + timeframeCol + \" le \" + timeframe.end : \"1 eq 1\"}}"
}
],
"headers": []
},
"metadata": [
{
"name": "title",
"displayName": "Alert Name",
"shape": "string",
"role": "label"
},
{
"name": "systemTags",
"displayName": "System Tags",
"shape": "string",
"role": "label"
},
{
"name": "severity",
"displayName": "Severity",
"shape": "string",
"role": "label"
},
{
"name": "status",
"displayName": "Status",
"shape": "string",
"role": "label"
},
{
"name": "category",
"displayName": "Category",
"shape": "string",
"role": "label"
},
{
"name": "detectionSource",
"displayName": "Detection Source",
"shape": "string",
"role": "label"
},
{
"name": "firstActivityDateTime",
"displayName": "First Activity",
"shape": "date",
"role": "label"
},
{
"name": "lastActivityDateTime",
"displayName": "Last Activity",
"shape": "date",
"role": "label"
},
{
"name": "classification",
"displayName": "Classification",
"shape": "string",
"role": "label"
},
{
"name": "determination",
"displayName": "Determination",
"shape": "string",
"role": "label"
},
{
"name": "assignedTo",
"displayName": "Assigned To",
"shape": "string",
"role": "label"
}
],
"timeframes": [
"last1hour",
"last12hours",
"last24hours",
"last7days",
"last30days",
"thisMonth",
"thisQuarter",
"thisYear",
"lastMonth",
"lastQuarter",
"lastYear"
],
"supportsNoneTimeframe": true,
"manualConfigApply": true,
"providesPluginDiagnostics": true,
"tags": [],
"ui": [
{
"name": "severity",
"label": "Severity",
"type": "autocomplete",
"data": {
"source": "fixed",
"values": [
{
"value": "low",
"label": "Low"
},
{
"value": "medium",
"label": "Medium"
},
{
"value": "high",
"label": "High"
},
{
"value": "informational",
"label": "Informational"
},
{
"value": "unknown",
"label": "Unknown"
},
{
"value": "unknownFutureValue",
"label": "Unknown Future Value"
}
]
},
"isClearable": true
},
{
"name": "status",
"label": "Status",
"type": "autocomplete",
"data": {
"source": "fixed",
"values": [
{
"value": "newAlert",
"label": "New"
},
{
"value": "inProgress",
"label": "In Progress"
},
{
"value": "resolved",
"label": "Resolved"
},
{
"value": "unknown",
"label": "Unknown"
},
{
"value": "unknownFutureValue",
"label": "Unknown Future Value"
}
]
},
"isClearable": true
},
{
Comment thread
clarkd marked this conversation as resolved.
"tileEditorStep": ["Timeframe"],
"isMulti": false,
"help": "Select the column to apply the timeframe",
"data": {
"source": "fixed",
"values": [
{
"value": "createdDateTime",
"label": "Creation Time"
},
{
"value": "lastActivityDateTime",
"label": "Last Activity Time"
},
{
"value": "lastUpdateDateTime",
"label": "Last Update Time"
}
]
},
"defaultValue": "createdDateTime",
"name": "timeframeCol",
"label": "Timeframe Column",
"type": "autocomplete",
"isClearable": false
}
]
}
Loading
Loading