TransformIndicatorToMSDefenderIOC

Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the *microsoft-atp-indicator-batch-update* command.

python · Microsoft Defender for Endpoint

Source

from CommonServerPython import *

POPULATE_INDICATOR_FIELDS = [
    "value",
    "indicator_type",
    "applications",
    "user",
    "firstSeen",
    "expiration",
    "lastSeen",
    "score",
    "title",
    "description",
]

INDICATOR_FIELDS_TO_MS_DEFENDER_IOC = {
    "value": "indicatorValue",
    "indicator_type": "indicatorType",
    "applications": "application",
    "user": "createdBy",
    "firstSeen": "creationTimeDateTimeUtc",
    "expiration": "expirationTime",
    "lastSeen": "lastUpdateTime",
    "score": "Severity",
    "title": "title",
    "description": "description",
    # enter (hard-coded) your wanted indicator arguments per MS docs (make sure to remove the '#'):
    # {https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/ti-indicator?view=o365-worldwide} ##
    # "" : "externalID",
    # "" : "sourceType",
    # "" : "lastUpdatedBy",
    # "" : "recommendedActions",
    # "" : "rbacGroupNames",
    # "" : "rbacGroupIds",
    # "" : "generateAlert",
    # "" : "createdBySource",
}

# feel free to change it hard-coded.
# Possible values in MS Defender are: Informational, Low, Medium and High
DBOT_SCORE_TO_MS_DEFENDER_SEVERITY = {
    Common.DBotScore.BAD: "High",
    Common.DBotScore.SUSPICIOUS: "Medium",
    Common.DBotScore.GOOD: "Informational",
    Common.DBotScore.NONE: "Informational",
}


def convert_unique_fields(ioc, action):
    ioc["Severity"] = DBOT_SCORE_TO_MS_DEFENDER_SEVERITY[ioc.get("Severity")]  # XSOAR indicators always have score
    if ioc.get("indicatorType"):
        indicator_type = ioc.get("indicatorType")
        indicator_value = ioc.get("indicatorValue", "")
        if indicator_type == "File":
            hash_type = get_hash_type(indicator_value)
            if hash_type == "md5":
                ioc["indicatorType"] = "FileMd5"
            elif hash_type == "sha1":
                ioc["indicatorType"] = "FileSha1"
            if hash_type == "sha256":
                ioc["indicatorType"] = "FileSha256"
        elif indicator_type == "IP":
            ioc["indicatorType"] = "IpAddress"
        elif indicator_type == "DOMAIN":
            ioc["indicatorType"] = "DomainName"
        elif indicator_type == "URL":
            ioc["indicatorType"] = "Url"
        else:
            raise DemistoException(f"The indicator type: {indicator_type} does not exist in MS Defender")
    # if you want to map the action field, you can do it here.
    # Note: the action arg is mandatory with MS Defender api
    # Possible values are: "Warn", "Block", "Audit", "Alert", "AlertAndBlock", "BlockAndRemediate" and "Allowed".
    ioc["action"] = action
    # Note: the title arg is mandatory with MS Defender api, please change it
    if not ioc.get("title"):
        ioc["title"] = "XSOAR Indicator title"
    # Note: the description arg is mandatory with MS Defender api, please change it
    if not ioc.get("description"):
        ioc["description"] = "XSOAR Indicator description"
    return ioc


def get_indicators_by_query():
    action = demisto.args().pop("action")
    demisto.args().update({"populateFields": POPULATE_INDICATOR_FIELDS})
    indicators = execute_command("GetIndicatorsByQuery", args=demisto.args())
    ms_defender_iocs = []
    if indicators:
        for indicator in indicators:
            # convert XSOAR indicator to MS Defender IOC
            ms_defender_ioc = {
                INDICATOR_FIELDS_TO_MS_DEFENDER_IOC[indicator_field]: indicator_value
                for (indicator_field, indicator_value) in indicator.items()
            }
            ms_defender_ioc = convert_unique_fields(ms_defender_ioc, action)
            ms_defender_iocs.append(ms_defender_ioc)
    return ms_defender_iocs


def main():
    try:
        ms_defender_iocs = get_indicators_by_query()
        human_readable = tableToMarkdown(
            "TransformIndicatorToMSDefenderIOC is done:",
            ms_defender_iocs,
            removeNull=True,
            headers=list(INDICATOR_FIELDS_TO_MS_DEFENDER_IOC.values()),
        )
        context = {
            "TransformIndicatorToMSDefenderIOC.JsonOutput": json.dumps(ms_defender_iocs),
            "TransformIndicatorToMSDefenderIOC.Indicators": ms_defender_iocs,
        }
        demisto.results(
            {
                "Type": entryTypes["note"],
                "ContentsFormat": formats["text"],
                "Contents": ms_defender_iocs,
                "EntryContext": context,
                "HumanReadable": human_readable,
            }
        )

    except Exception as ex:
        return_error(f"Failed to execute TransformIndicatorToMSDefenderIOC. Error: {ex!s}")


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Transform a XSOAR indicator into a Microsoft Defender for Endpoint IOC. The output (at TransformIndicatorToMSDefenderIOC.JsonOutput) is a json representation of the indicators in MSDE format. This json can be the input for the microsoft-atp-indicator-batch-update command.

Script Data


Name Description
Script Type python3
Tags  
Cortex XSOAR Version 6.0.0

Inputs


Argument Name Description Required
query The indicators query. Required
action The action that will be taken if the indicator will be discovered in the organization. Required
limit The maximum number of indicators to fetch. Optional
offset The results offset page. Only change when the number of the results exceed the limit. Optional

Outputs


Path Description Type
TransformIndicatorToMSDefenderIOC.JsonOutput Json output of the indicators. Should be the input for the *microsoft-atp-indicator-batch-update*. String
TransformIndicatorToMSDefenderIOC.Indicators.indicatorValue The value of the Indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.indicatorType Type of the indicator. Possible values are: FileSha1, FileSha256, FileMd5, CertificateThumbprint, IpAddress, DomainName, Url String
TransformIndicatorToMSDefenderIOC.Indicators.lastUpdateTime The last time the indicator was updated. String
TransformIndicatorToMSDefenderIOC.Indicators.lastUpdatedBy Identity of the user/application that last updated the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.action The action that will be taken if the indicator will be discovered in the organization. Possible values are: “Warn”, “Block”, “Audit”, “Alert”, “AlertAndBlock”, “BlockAndRemediate” and “Allowed”. String
TransformIndicatorToMSDefenderIOC.Indicators.title Indicator title. String
TransformIndicatorToMSDefenderIOC.Indicators.expirationTime The expiration time of the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.description Description of the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.creationTimeDateTimeUtc The date and time when the indicator was created. String
TransformIndicatorToMSDefenderIOC.Indicators.Severity The severity of the indicator. possible values are: Informational, Low, Medium and High. String
TransformIndicatorToMSDefenderIOC.Indicators.application The application associated with the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.externalID Id the customer can submit in the request for custom correlation. String
TransformIndicatorToMSDefenderIOC.Indicators.sourceType User in case the Indicator created by a user. “AadApp” in case it submitted using automated application via the API. String
TransformIndicatorToMSDefenderIOC.Indicators.createdBySource The name of the user or application that submitted the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.createdBy Unique identity of the user or application that submitted the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.recommendedActions Recommended actions for the indicator. String
TransformIndicatorToMSDefenderIOC.Indicators.rbacGroupNames RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices. Unknown
TransformIndicatorToMSDefenderIOC.Indicators.rbacGroupIds RBAC device group ID’s where the indicator is exposed and active. Empty list in case it exposed to all devices. Unknown
TransformIndicatorToMSDefenderIOC.Indicators.generateAlert True if alert generation is required, False if this indicator should not generate an alert. String

More info


  1. Please read about MSDE Indicator resource type here.
  2. Please read about limitations for creating and updating batch of indicators here.
  3. Please read about the required permissions for creating and updating batch of indicators here.