MSDefenderOffice365
MSDefenderOffice365_block
Details
Author |
Joe Lazaro |
Version |
1.0 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
Yes |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Service Homepage |
Description
Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender
Configuration
Name |
Description |
certificate_base64 |
Base64-encoded PFX certificate to be used for certificate-based authentication. |
certificate_password |
Password for the certificate used to authenticate |
app_id |
The application ID of the service principal that’s used in certificate based authentication |
organization |
Tenant ID. Example: something.onmicrosoft.com |
block_expiration_days |
How many days out should we set the expiration? A value <= 0 means to set no expiration. |
MSDefenderOffice365_unblock
Details
Author |
Joe Lazaro |
Version |
1.0 |
License |
AGPL-V3 |
Requires Registration |
Yes |
Requires Subscription |
Yes |
Free Subscription Available |
No |
DataType Supported |
thehive:case_artifact |
Service Homepage |
Description
Add entries to the Tenant Allow/Block List in the Microsoft 365 Defender
Configuration
Name |
Description |
certificate_base64 |
Base64-encoded PFX certificate to be used for certificate-based authentication. |
certificate_password |
Password for the certificate used to authenticate |
app_id |
The application ID of the service principal that’s used in certificate based authentication |
organization |
Tenant ID. Example: something.onmicrosoft.com |
Additional details from the README file:
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
Threat protection policies: Define threat-protection policies to set the appropriate level of protection for your organization.
Reports: View real-time reports to monitor Defender for Office 365 performance in your organization.
Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
This responder implements support for the Tenant Allow/Block List which is used during mail flow for incoming messages to manually override the Microsoft 365 filtering verdicts. An observable with dataType ‘mail’ is used to block/unblock a sender, while dataType ‘domain’ is used to block/unblock a domain.
You can also block or unblock multiple entries at once by using a multi-line observable with one entry per line.
The configuration allows you to specify the number of days for a block entry to live before expiration with a value of 0 meaning no expiration.
For further reference on this capability, see the Microsoft documentation Allow or block emails using the Tenant Allow/Block List.