Git Product home page Git Product logo

securitydev's Introduction

Get Started as Microsoft Security Developer

Welcome to the Microsoft Security Dev repository! This repository is a landing page to learn about Microsoft security APIs, services and communities. This will enable application developers to build security applications catering to different requirements. Furthermore, this repo is a starting point to share code, libraries, notebooks, workbooks, and queries for building connected experiences.

Read the blogpost for more details.

Feedback / Questions / Bugs to report? File issues

In this repository

Getting Started

Read the Developers Guide to Building Connected Security Solutions.
The Developers Guide to Building Connected Security Solutions offers a primer for those who want to build apps, workflows, and analytics that integrate with Microsoft security solutions. In addition to introducing to the Microsoft APIs, services, and communities available to developers, the guide offers detailed guidance on when and how to use each – what technology and integration option best aligns with your desired scenario and application type.

Discover APIs and Services

APIs

INTEGRATION OPTIONS
   SDK    Azure Sentinel Data Connector/ Dashboard Logic Apps / Flow / PowerApps Connector PowerShell Module Power BI Connector Azure / Jupyter Notebooks
Microsoft Graph Security API
unified alerts for all Microsoft security services, threat indicators, actions, and secure score
Azure Security Center
security posture assessment and threat protection
Azure Active Directory Identity Protection
AAD users, groups, risky users, and risky sign-ins
Azure Sentinel / Azure Log Analytics
events and logs
Microsoft Defender Advanced Threat Protection
networks, devices, files and device users, threat indicators and advanced hunting APIs
Microsoft Cloud App Security
user activities, policy reports across cloud services
Microsoft Information Protection
data classification, labeling, and protection
Office 365 Management
user, admin, system, and policy actions and events across M365 services

Other security communities

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

License

This repository is licensed with the MIT license.

securitydev's People

Contributors

edwardkoval avatar ianhelle avatar microsoft-github-policy-service[bot] avatar microsoftopensource avatar msftgits avatar preetikr avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

mvynovych nathalie-microsoft parthdmaniar bhaskers-blu-org2 taffywrinkle claudiusgonzo jonnyschnittger rajkrishnamurthy mxrch ekmixon guden azureandsecurityotaku top-chief

securitydev's Issues

Graph / Security / Alert - alerts from some sources have missing host, ip, file and other detail information

Hello,

We used MS Graph API to retrieve security alerts from our test environment. Some alerts have full details, while some of them doesn't provide any detail information (host, source IP, user, infected file...).
The same behavior is through REST API in Postman and C# wrapper.

Do you have any advise if it's e.g. a permission or some additional settings issue or it's the API bug?

Example of missing data:

{
	"cloudAppStates": [],
	"status": "newAlert",
	"azureTenantId": "5ccdaf49-e634-479f-b8e6-_",
	"feedback": null,
	"confidence": null,
	"id": "da636995025372880197_512683892",
	"title": "'EICAR_Test_File' malware was detected",
	"eventDateTime": "2019-07-23T18:14:23.4324294+00:00",
	"processes": [],
	"sourceMaterials": [
		"https://securitycenter.microsoft.com/alert/da636995025372880197_512683892"
	],
	"vendorInformation": {
		"providerVersion": null,
		"subProvider": "WindowsDefenderAtp",
		"provider": "WDATP",
		"vendor": "Microsoft"
	},
	"detectionIds": [],
	"azureSubscriptionId": null,
	"vulnerabilityStates": [],
	"lastModifiedDateTime": "2019-07-23T18:22:28.3566667+00:00",
	"description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
	"fileStates": [],
	"createdDateTime": "2019-07-23T18:15:37.1941339+00:00",
	"closedDateTime": null,
	"category": "Malware",
	"comments": [],
	"userStates": [],
	"hostStates": [],
	"@version": "1",
	"assignedTo": null,
	"registryKeyStates": [],
	"historyStates": [],
	"recommendedActions": [],
	"severity": "informational",
	"tags": [
		"_mutate_error"
	],
	"triggers": [],
	"riskScore": null,
	"malwareStates": [],
	"networkConnections": [],
	"activityGroupName": null
}

At this case it was defender.

However we have the same from ACS 3.0 source, e.g. a category AntimalwareActionTaken have full details, while category AdaptiveNetworkHardeningInbound have just title about suspected IP and no detail at all. See examples:

correct result:

{
        "id": "2518383947429999999_7c2565ed-75f6-4bee-84ee-c68c928c0c97",
        "azureTenantId": "5ccdaf49-e634-479f-b8e6-*",
        "azureSubscriptionId": "2444cc2b-23e9-4750-956f-*",
        "riskScore": null,
        "tags": [],
        "activityGroupName": null,
        "assignedTo": null,
        "category": "AntimalwareActionTaken",
        "closedDateTime": null,
        "comments": [],
        "confidence": null,
        "createdDateTime": "2019-07-23T18:31:28.261Z",
        "description": "Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.",
        "detectionIds": [],
        "eventDateTime": "2019-07-23T18:20:57Z",
        "feedback": null,
        "lastModifiedDateTime": "2019-07-23T18:31:31.0405919Z",
        "recommendedActions": [
            "No user action is necessary"
        ],
        "severity": "low",
        "sourceMaterials": [
            "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Virus:DOS/EICAR_Test_File"
        ],
        "status": "newAlert",
        "title": "Antimalware Action Taken",
        "vendorInformation": {
            "provider": "ASC",
            "providerVersion": "3.0",
            "subProvider": null,
            "vendor": "Microsoft"
        },
        "cloudAppStates": [],
        "fileStates": [
            {
                "name": "967664227.bat",
                "path": "c:\\temp\\eicar\\967664227.bat",
                "riskScore": "0",
                "fileHash": null
            }
        ],
        "hostStates": [
            {
                "fqdn": "demo....com",
                "isAzureAdJoined": null,
                "isAzureAdRegistered": null,
                "isHybridAzureDomainJoined": null,
                "netBiosName": null,
                "os": null,
                "privateIpAddress": null,
                "publicIpAddress": null,
                "riskScore": "0"
            }
        ],
        "historyStates": [],
        "malwareStates": [
            {
                "category": "Virus",
                "family": null,
                "name": "Virus:DOS/EICAR_Test_File",
                "severity": null,
                "wasRunning": null
            }
        ],
        "networkConnections": [],
        "processes": [],
        "registryKeyStates": [],
        "triggers": [],
        "userStates": [],
        "vulnerabilityStates": []
    },

no data:

    {
        "id": "2518385219999999999_fec0f737-1f01-4cf6-8cc5-2c4c812e25df",
        "azureTenantId": "5ccdaf49-e634-479f-b8e6-*",
        "azureSubscriptionId": "2444cc2b-23e9-4750-956f-*",
        "riskScore": null,
        "tags": [],
        "activityGroupName": null,
        "assignedTo": null,
        "category": "AdaptiveNetworkHardeningInbound",
        "closedDateTime": null,
        "comments": [],
        "confidence": null,
        "createdDateTime": "2019-07-23T06:01:09.4191821Z",
        "description": "Azure security center has detected incoming traffic from IP addresses, which have been identified as IP addresses that should be blocked by the Adaptive Network Hardening control",
        "detectionIds": [],
        "eventDateTime": "2019-07-22T07:00:00Z",
        "feedback": null,
        "lastModifiedDateTime": "2019-07-23T06:01:47.0272371Z",
        "recommendedActions": [
            "1. Review the IP addresses and determine if they should be communicating with the virtual machine",
            "2. Enforce the hardening rule recommended by Security Center which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly"
        ],
        "severity": "low",
        "sourceMaterials": [],
        "status": "newAlert",
        "title": "Traffic from unrecommended IP addresses was detected",
        "vendorInformation": {
            "provider": "ASC",
            "providerVersion": "3.0",
            "subProvider": null,
            "vendor": "Microsoft"
        },
        "cloudAppStates": [],
        "fileStates": [],
        "hostStates": [],
        "historyStates": [],
        "malwareStates": [],
        "networkConnections": [],
        "processes": [],
        "registryKeyStates": [],
        "triggers": [],
        "userStates": [],
        "vulnerabilityStates": []
    },

Thanks and regards,
Roman

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.