Add Microsoft Defender for Endpoint source #1009

juju4 · 2022-10-08T21:56:12Z

Add Ingestion of MDE assets as source (follow-up of #999)
Include initial test data and draft schema

Bugs

fix import of array and dict, or needed values (vmMetaData, ipAddresses...) to get instance_id, subscription_d and resource_id which are required to make relationship with AzureVirtualMachine.
fix mypy and flake8 issues, part due to import .util not working.

Pending

AzureVirtualMachine relationship.
Add a tenant_id to link to AzureTenant and allow multi-tenancy.
import vulnerabilities' detections.
may want cleanup retention to be configurable. Typically, EDR keep inventories for 30-45 days.

Reviewed with pylint and black

This reverts commit 32a94ae.

juju4 · 2022-10-15T19:58:26Z

I think this is good for review and merge.
At this point, I only added relation to AzureVirtualMachine. hesitated for AzureSubscription as more widely available (ex: Crowdstrike)
Likely need some help to fix mypy errors as not familiar with tool.

achantavy

Let's try to avoid pandas. We can use a similar transform approach as in this PR: #1146, happy to continue helping here.

It might also be worth exploring using the data model using that PR as example.

achantavy · 2023-01-07T04:58:11Z

setup.py

@@ -56,6 +56,7 @@
        "kubernetes>=22.6.0",
        "pdpyras>=4.3.0",
        "crowdstrike-falconpy>=0.5.1",
+        "pandas>=1.5.1",


Pandas is a very heavy dependency. Can we do without it?

achantavy · 2023-01-07T04:58:29Z

.github/workflows/test_suite.yml

@@ -6,6 +6,7 @@ on:
  push:
    branches:
      - master
+      - devel*


What's this do? Can we omit it?

achantavy · 2023-01-07T04:59:55Z

cartography/intel/mde/endpoints.py

+"""
+cartography/intel/mde/endpoints
+"""
+# pylint: disable=missing-function-docstring,too-many-arguments


Suggested change

# pylint: disable=missing-function-docstring,too-many-arguments

achantavy · 2023-01-07T05:00:42Z

docs/root/modules/mde/mde.md

+
+Placeholder representation of a single [MDE Host or machine](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide). This node is the minimal data necessary to map an asset.
+
+Warning! Work In Progress.


Suggested change

Warning! Work In Progress.

juju4 · 2023-04-15T15:16:08Z

I will try to review but I don't think it will be in near time.
If anyone interested, feel free to help.

juju4 added 8 commits October 8, 2022 20:48

Add MDE source - work in progress

f1b13a2

trigger workflow

32a94ae

Revert "trigger workflow"

e618a52

This reverts commit 32a94ae.

test_suite workflow: include devel*

3ca7de9

partial fix pre-commit lint

bf945b7

add mde cleanup file

8a2ff40

mde source update

16e2bd5

Merge branch 'devel' into devel-mde

6afbc7c

juju4 added 12 commits November 5, 2022 14:50

code review, fix most pre-commit

ed42966

Merge branch 'master' into devel-mde

af1d3ce

setup.py: add pandas

0df23ea

Merge branch 'devel' into devel-mde

d8022e8

few ignore for bandit and semgrep

a6d15aa

black autoformatter

98e0033

add verb to function

2248aa5

review bandit and pylint

9343e47

Merge branch 'devel' into devel-mde

e9b4037

Merge branch 'master' into devel-mde

a863df9

Merge branch 'master' into devel-mde

9c4f1cf

Merge branch 'master' into devel-mde

4268f9a

achantavy reviewed Mar 30, 2023

View reviewed changes

chandanchowdhury added data-addition Describes adding new data to the graph Azure Related to the Azure intel module labels Jul 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Microsoft Defender for Endpoint source #1009

Add Microsoft Defender for Endpoint source #1009

juju4 commented Oct 8, 2022

juju4 commented Oct 15, 2022

achantavy left a comment

achantavy Jan 7, 2023

achantavy Jan 7, 2023

achantavy Jan 7, 2023

achantavy Jan 7, 2023

juju4 commented Apr 15, 2023


		Placeholder representation of a single [MDE Host or machine](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide). This node is the minimal data necessary to map an asset.

		Warning! Work In Progress.

Add Microsoft Defender for Endpoint source #1009

Are you sure you want to change the base?

Add Microsoft Defender for Endpoint source #1009

Conversation

juju4 commented Oct 8, 2022

juju4 commented Oct 15, 2022

achantavy left a comment

Choose a reason for hiding this comment

achantavy Jan 7, 2023

Choose a reason for hiding this comment

achantavy Jan 7, 2023

Choose a reason for hiding this comment

achantavy Jan 7, 2023

Choose a reason for hiding this comment

achantavy Jan 7, 2023

Choose a reason for hiding this comment

juju4 commented Apr 15, 2023