#909 review and fixes

Signed-off-by: Jérôme Leonard <[email protected]>
TheHive-Project · Jan 24, 2022 · 4bf0548 · 4bf0548
1 parent 6bfbddd
commit 4bf0548
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 12 deletions.
diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Isolate.json
@@ -52,5 +52,9 @@
       "required": true,
       "defaultValue": "https://login.windows.net/"
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://securitycenter.windows.com"
 }
diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCAlert.json
@@ -52,5 +52,9 @@
       "required": true,
       "defaultValue": "https://login.windows.net/"
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://securitycenter.windows.com"
 }
diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_PushIOCBlock.json
@@ -52,5 +52,9 @@
       "required": true,
       "defaultValue": "https://login.windows.net/"
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://securitycenter.windows.com"
 }
diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_Unisolate.json
@@ -52,5 +52,9 @@
       "required": true,
       "defaultValue": "https://login.windows.net/"
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://securitycenter.windows.com"
 }
diff --git a/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json b/responders/MSDefenderEndpoints/MSDefenderEndpoints_VirusScan.json
@@ -52,5 +52,9 @@
       "required": true,
       "defaultValue": "https://login.windows.net/"
     }
-  ]
+  ],
+  "registration_required": true,
+  "subscription_required": true,
+  "free_subscription": false,
+  "service_homepage": "https://securitycenter.windows.com"
 }
diff --git a/responders/MSDefenderEndpoints/README.md b/responders/MSDefenderEndpoints/README.md
@@ -1,6 +1,7 @@
-# Cortex responder for Microsoft Defender for Endpoints (formerly know as Microsoft ATP)
+### Cortex responder for Microsoft Defender for Endpoints (formerly know as Microsoft ATP)
+
+#### With this responder you can
 
-## With this responder you can
 * Isolate machine
 * Unisolate machine
 * Run full antivirus scan
@@ -12,39 +13,44 @@
 **NOTE: Microsft API for finding machines via IP-addresses is little bit limited "Find Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.", because of this "hostname" is preferable observable type"**
 
 Responder needs one of the following licenses:
+
 * Windows 10 Enterprise E5
 * Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
 * Microsoft 365 E5 Security
 
-### In general, you’ll need to take the following steps to use the responder
+##### In general, you’ll need to take the following steps to use the responder
 
 * Create an Azure AD application
 * Grant permissions to App
 
-### Steps
+##### Steps
+
 With your Global administrator credentials, login to the Azure portal.   
 * Azure Active Directory > App registrations > New registration.
 
 In the registration form:
+
 * Name - Name your application.
 * Supported account type – leave the default setting.
 * Redirect Uri – leave empty.
 
-### API permission
+##### API permission
+
 On your new application page, click API Permissions > Add permission > APIs my organization uses > type **WindowsDefenderATP** and click on WindowsDefenderATP
 Choose Application permissions, select **Alert.Read.All** AND **TI.ReadWrite.All** AND **Machine.ReadAll** AND **Machine.Isolate** AND **Machine.Scan** > Click on Add permissions.
 
 After clicking the Add Permissions button, on the next screen we need to grant consent for the permission to take effect.
 Press the "Grant admin consent for {your tenant name}" button.
 
 To get client credentials:
+
 * In your application page, Click Certificate & Secrets
 * Specify a key description and set an expiration for 1 year.
 * Click Add and the application key will appear.
 
 **IMPORTANT: Copy and store this key in a safe place. Treat it like a password.**
 
-### Detailed permissions:
-![Permissions](img/thehive_integration.jpg)
+##### Detailed permissions:
+![Permissions](assets/thehive_integration.jpg)
 
 [How to create Azure App (link to MS blog)](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/wdatp-api-hello-world-or-using-a-simple-powershell-script-to/ba-p/326813)
diff --git a/responders/MSDefenderEndpoints/img/thehive_integration.jpg b/responders/MSDefenderEndpoints/img/thehive_integration.jpg