Skip to content

Commit

Permalink
Merge pull request #144 from RickKotlarz/main
Browse files Browse the repository at this point in the history 
Adding: 'Combined Defender Sentinel plugin' and 'GPT expert analysis plugin'
  • Loading branch information
@KwachSean
KwachSean authored Nov 14, 2024
2 parents dc84751 + 588344e commit 9034796
Show file tree
Hide file tree
Showing 2 changed files with 241 additions and 0 deletions.
47 changes: 47 additions & 0 deletions Plugins/MSFT_Plugin_Samples/GPT/GPT_based_expert_analysis_v1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Input Examples:
# Input field 1: IBM
# Input field 2: QRadar OCSF
# Input field 3: (copy raw file) https://github.com/ocsf/examples/blob/main/mappings/markdown/IBM/QRadar%20SIEM/samples/offense.ocsf
#
# Plugin updated on 2024-11-07

Descriptor:
Name: GPT Based Expert Analysis v1
DisplayName: GPT Based Expert Analysis v1
Description: This plugin serves as a temporary tool for manually analyzing and evaluating configurations, vulnerabilities, and other sensitive information that are not yet accessible through a dedicated plugin. The analysis focuses on functionality and its potential impact on operations, security, governance, risk, and compliance.

SkillGroups:
- Format: GPT
Skills:
- Name: PerformGPTbasedExpertAnalysis
DisplayName: Perform a GPT based expert analysis
Description: Perform a GPT based expert analysis focused on OPSEC and GRC.
DescriptionForModel: Performs an expert analysis using GPT to assess and evaluate configurations, vulnerabilities, and other sensitive information. The output provides insights into functionality, potential impacts on operational performance, security posture, governance frameworks, risk levels, and compliance requirements.
Inputs:
- Name: personaExpert
Description: Provide a high-level reference to the type of expert persona that you'd like reviewing your data (e.g., Microsoft Azure, Cisco, Palo-Alto, Juniper Networks, IBM, etc.).
DefaultValue: null
Required: true
- Name: productNameOrFormatType
Description: What is the type of data that will be reviewed (e.g., Azure Policy JSON, ASA IOS configuration, Next-Generation Firewall (NGFW) XML, SRX Series Gateway Junos OS configuration, QRadar SIEM Log Event Extended Format (LEEF), OCSF, STIX, JSON, RegEx, etc.)?
DefaultValue: null
Required: true
- Name: productOutput
Description: Paste the data (configuration, rule, vulnerability, etc.), that you would like reviewed.
DefaultValue: null
Required: true
Settings:
ModelName: gpt-4o
Template: |-
Assume the role of an expert {{personaExpert}} engineer, specializing in security, engineering, operations, and risk management. Your task is to critically evaluate the following {{productNameOrFormatType}} output.
For each major element, provide:
1. A concise summary of its function and relevance.
2. A detailed analysis of its potential impacts broken down by operations, security, governance, risk, and compliance.
Additionally:
3. Identify any concerns, vulnerabilities, or security risks, and recommend specific actions or best practices to mitigate these, referencing industry standards and {{personaExpert}} guidelines where relevant.
4. Ensure your review is thorough and offers clear, actionable insights to strengthen operational efficiency, security, governance, risk, and compliance posture."
Data to review starts here: {{productOutput}}
194 changes: 194 additions & 0 deletions Plugins/MSFT_Plugin_Samples/KQL/KQL_Combined_Defender_and_Sentinel_Example.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
# Spacing matters between parent and child objects. Hitting enter is fine, but tabular spaces will cause errors.
# Plugin updated 2024-11-08

Descriptor:
Name: Combined Defender and Sentinel Example Plugin
DisplayName: Combined Defender and Sentinel example plugin includes both Sentinel and Defender
Description: This combined KQL plugin integrates Defender and Sentinel capabilities, providing multiple configuration examples and detailed comments to guide users. Once configured you can invoke each skill directly or by using example prompts to retrieve high and critical Defender alerts from the past 7 days, fetch sign-in data based on UPN over a customizable time frame, and search Sentinel for all IP addresses a specific user has used to sign-in along with the frequency of each IP.
Icon: https://raw.githubusercontent.com/MicrosoftDocs/architecture-center/refs/heads/main/docs/_images/i-security.svg
# Source: https://github.com/MicrosoftDocs/architecture-center/blob/main/docs/_images/i-security.svg


#############################################################################################
# These settings will be prompted to the end user during plugin installation.
# Reference to values stored within the variables are used by Sentinel KQL queries.
#############################################################################################

Settings:
- Name: TenantId
Description: Your Azure Tenant ID where the Sentinel workspace is in.
HintText: Enter your Azure Tenant ID
SettingType: string
Required: true

- Name: SubscriptionId
Description: Your Azure Subscription ID where the Sentinel workspace is provisioned.
SettingType: string
Required: true
HintText: Enter your Azure Subscription ID.

- Name: WorkspaceName
Description: The name Sentinel workspace that you'd like to reference.
SettingType: string
Required: true
HintText: Enter the Sentinel workspace that you'd like to reference.

- Name: ResourceGroupName
Description: The Resource Group where the Sentinel workspace is provisioned..
SettingType: string
HintText: Enter your Resource Group where the Sentinel workspace is provisioned.
Required: true

#####################################################################################
# The 'SupportedAuthTypes' field set to 'None' is required for the plugin settings
# configuration window to present 'Settings' variable fields to the end user.
#####################################################################################

SupportedAuthTypes:
- None

#####################################################################################
# SkillGroups can be a single type (KQL, GPT, API) or contain a mix
#####################################################################################

SkillGroups:
- Format: KQL
Skills:

#####################################################################################
# Skill format
#####################################################################################
#
# - Name: uniqueSkillName
# DisplayName: Name of the skill that the user will see when manually selecting the skill
# Description: |
# Detailed description that the user will see when manually selecting a skill.
# This area can be multiple lines when using the pipe character after the 'Description' field.
# ExamplePrompts:
# - An example prompt that a user might type to invoke this skill
# - Another example prompt.
# - Make sure you exclude named entities that are meant to change from user input (e.g. IP, username, IoCs, etc.) as these will actually lower skill selection probability.
# Inputs:
# - Name: variableNameYouWantFromTheUserThatIsReferencedInYourKQL
# PlaceholderValue: Description or examples that user will see before filling out this variable. Note this field is displayed to the user.
# Description: Description that the orchestrator will use which includes any situations that explain when this input field should or should not be skipped. For example 'this field should be only used if an IP address is in IPv4 format'. Do not use the 'PlaceholderValue' field if you don't have any specific instructions for the orchestrator. Also this field is not displayed to the user.
# DefaultValue: defaultValue used if the 'Required' field is set to 'False'
# Required: true or false
# Settings:
# Target: Defender, Sentinel, or Log Analytics
# Template: |-
# KQLtableYouAreReferencing
# //KQL comment to help the Orchestrator or users responsible for maintaining the code
# | KQLTable {{variableYouWantFromTheUserThatIsReferencedInYourKQL}}
# | Additional KQL content
# TemplateUrl: https://someDomain.com/template.txt // This can only be used when the 'Template' field is not in use. Using this allows for a single plugin to be deployed, while the KQL template continues to be updated over time.

#######################################################################################
# KQL Example 1 - Defender KQL example with no user input required
# Defender KQL skills do not require configuring the TenantId, SubscriptionId,
# ResourceGroupName, or WorkspaceName but are limited to in their data storage.
#######################################################################################

- Name: GetHighAndCriticalAlertsForTheLast7Days
DisplayName: Get high and critical alerts over the past 7 days
Description: |
Gets all high and critical Microsoft Defender alerts over the past 7 days
ExamplePrompts:
- Get high and critical Defender alerts for the last 7 days
- Get high and critical Microsoft Defender alerts for the last 7 days
- Get high and critical MDE alerts for the last 7 days
- Get high and critical Defender alerts for the last week
- Get high and critical Microsoft Defender alerts for the last week
- Get high and critical MDE alerts for the last week
- Get recent high and critical Defender alerts
- Get recent high and critical Microsoft Defender alerts
- Get recent high and critical MDE alerts
Settings:
Target: Defender
Template: |-
// This KQL query filters the AlertInfo table for high and critical alerts generated in the past 7 days, displaying only the AlertId, Title, and TimeGenerated fields.
AlertInfo
| where Severity in ('High', 'Critical')
| where TimeGenerated > ago(7d)
| project AlertId, Title, TimeGenerated
#######################################################################################
# KQL Example 2 - Sentinel example with user input
# Sentinel KQL skills require configuring the TenantId, SubscriptionId,
# ResourceGroupName, and WorkspaceName. You can do this in-line and hard code
# the data, however a best practice is to simply reference this varable and have
# the user enter it in upon deployment. In the example below the Sentinel
# configuration is entered by the user.
#######################################################################################

- Name: GetSigninData
DisplayName: Get sign-in data over the past n-days
Description: |
Gets Entra sign-in data for a user provided UPN between now and a user suppled day count.
ExamplePrompts:
- Get sign-in data for the last days
- Get login data for the last days
- Get Entra sign-in data for the last days
- Get Entra login data for the last days
Inputs:
- Name: dayRange
PlaceholderValue: The time range for the query (e.g., 1d, 7d)
Description: Time range to perform a KQL query in the format of day number followed by `d`.
DefaultValue: 1d
Required: false
Settings:
#=====================================================================================
# These 'Settings' are required when the 'Target' type uses Sentinel. Variables used
# within the curly brackets are refrences to those within 'Settings' area at the top
# of the plugin (line
#=====================================================================================
Target: Sentinel
TenantId: '{{TenantId}}'
SubscriptionId: '{{SubscriptionId}}'
ResourceGroupName: '{{ResourceGroupName}}'
WorkspaceName: '{{WorkspaceName}}'
#=====================================================================================
Template: |-
// This KQL query retrieves sign-in logs from the SigninLogs table for the past days, summarizing the most recent sign-in for each user by UPN, and then displays only the UPN and LastSignInDate fields.
SigninLogs
| where TimeGenerated >= ago({{dayRange}})
| summarize LastSignInDate=max(TimeGenerated) by UserPrincipalName
| project UserPrincipalName, LastSignInDate

#######################################################################################
# KQL Example 3 - Sentinel example with hard coded configuration
# Sentinel KQL skills require configuring the TenantId, SubscriptionId,
# ResourceGroupName, and WorkspaceName. In this example I've hardcoded
# the Sentinel configuration with sample configuration information.
#######################################################################################

- Name: ShowUserIPinfo
DisplayName: Show user IP addresses
Description: |
Lists unique IP logins for a given user and last login, searches for all IP addresses that a given user has ever used to authenticate, counts the frequency for each IP showing only unique results, and shows the the last time that IP was used.
ExamplePrompts:
- Use Sentinel and show all unique for all IP addresses for this user
- Show the unique IPs for user
- What are the unique IP addresses for user
Inputs:
- Name: UserPrincipalNameYouAreLookingUp
Description: User Principal Name to search for (e.g. [email protected])
Required: true
#=====================================================================================
# The following 'Settings' configuration uses a hardcoded configuration instead of
# those supplied by the user during set up of the plugin. This may be useful when
# creating plugins that require searching different workspaces and resource groups.
#=====================================================================================
Settings:
Target: Sentinel
TenantId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SubscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ResourceGroupName: yourSentinelResourceGroup
WorkspaceName: yourSentinelWorkspace
Template: |-
// This KQL query filters the SigninLogs table for entries associated with a specific user (UserPrincipalNameYouAreLookingUp), then aggregates the data to count the total sign-ins (Count) and determine the most recent sign-in time (LastUsed) for each unique `IPAddress` used by that user, displaying only the `IPAddress`, `Count`, and `LastUsed` fields.
SigninLogs
| where UserPrincipalName == "{{UserPrincipalNameYouAreLookingUp}}"
| summarize Count = count(), LastUsed = max(TimeGenerated) by IPAddress
| project IPAddress, Count, LastUsed

0 comments on commit 9034796

Please sign in to comment.